Re: Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases

[Özkan KIRIK via Snort-devel <snort-devel () lists snort org>]

I'm still trying different versions to find where the bug exists.

- snort3.0.1.5 - detection and block action works properly
- snort3.0.2.1 - only sid 9000003 matches and blocking traffic. appid
doesnt match any traffic.

There is something wrong about appid detection with snort3 build >= 3.0.2.1
All the builds after 3.0.2.* have this issue. I wrote that appid_stats have
lines about wetransfer but after kill & restart snort3, I couldn't
reproduce wetransfer detection.

tests are run with a freebsd+snort3 gateway and 1 windows client only.

- snort3.0.2.1 - appid_stats.log with similar traffic
# cat appid_stats.log
1599192367,DNS,3032,5497
1599192367,HTTPS,144450,2774175
1599192367,MDNS,3650,0
1599192367,ICMP,395,0
1599192367,DNS over HTTPS,5736,18574
1599192367,__unknown,25577,767

- snort3.0.1.5 - appid_stats.log with similar traffic
  # cat appid_stats.log
1599192609,Google,22731,201644
1599192609,Chrome,574,257
1599192609,HTTP,574,257
1599192609,NetBIOS-ns,3036,0
1599192609,HTTPS,37943,262317
1599192609,SSL client,29790,246317
1599192609,MDNS,3204,0
1599192609,WeTransfer,4886,39253
1599192609,Google Sign in,2173,5420
1599192609,DNS over HTTPS,6224,16712
1599192609,__unknown,2724,4220

On Fri, Sep 4, 2020 at 6:57 AM Özkan KIRIK <ozkan.kirik () gmail com> wrote:

> In addition to v3.0.2.5, appid_stats contains lines about wetransfer,
> facebook etc. But alert_json log don't have.
> I think there is a bug about rule matching for appids
>
> # grep -i wetransfer appid_stats.log
> 1599189911,WeTransfer,6560,3184
> 1599190202,WeTransfer,1951,1161
> 1599190803,WeTransfer,2086,6678
> 1599191404,WeTransfer,2086,6761
> # grep -i wetransfer alert_json.txt
> #
>
> On Fri, Sep 4, 2020 at 6:38 AM Özkan KIRIK <ozkan.kirik () gmail com> wrote:
>
> > Hello,
> >
> > I am using FreeBSD stable/12 branch using netmap daq configuration.
> >
> > snort3 is configured in inline mode with simple ruleset as below:
> >
> > block ip any any -> any any ( msg: "block facebook"; appids:"facebook";
> >  sid:9000000; )
> > block ip any any -> any any ( msg: "block wetransfer ";
> > appids:"wetransfer";  sid:9000001; )
> > block ip any any -> any any ( msg: "block youtube"; appids:"youtube";
> >  sid:9000002; )
> > block icmp any any -> any any ( msg: "icmp inline test";  sid:9000003; )
> >
> > After upgrading from 3.0.1 to 3.0.2 appid detection not working.
> > same configuration with:
> > - snort3.0.1.2 - detection and block action works properly
> > - snort3.0.1.4 - detection and block action works properly
> > - snort3.0.2.4 - only sid 9000003 matches and blocking traffic. appid
> > doesnt match any traffic.
> > - snort3.0.2.5 - only sid 9000003 matches and blocking traffic. appid
> > doesnt match any traffic.
> >
> > appid = { app_detector_dir = '/usr/local/etc/snort' }
> > rate_filter = { }
> > stream = { }
> > stream_ip = { }
> > stream_icmp = { }
> > stream_tcp = { }
> > stream_udp = { }
> > arp_spoof = { }
> > back_orifice = { }
> > dnp3 = { }
> > dns = { }
> > http_inspect = { }
> > http2_inspect = { }
> > imap = { }
> > modbus = { }
> > normalizer = { tcp = { ips = true } }
> > pop = { }
> > rpc_decode = { }
> > sip = { }
> > ssh = { }
> > ssl = { }
> > telnet = { }
> > dce_smb = { }
> > dce_tcp = { }
> > dce_udp = { }
> > dce_http_proxy = { }
> > dce_http_server = { }
> >
> > In snort 3.0.2* do we need to change any configuration?
> >
> > Regards
> > Özkan
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!