Snort mailing list archives

Re: Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases

From: "Shravan Rangarajuvenkata \(shrarang\) via Snort-devel" <snort-devel () lists snort org>
Date: Fri, 4 Sep 2020 17:19:34 +0000

Hello Ozkan,

Thanks for reporting the issue! Can you please provide us the pcaps that can reproduce this issue? Regarding your 
question about whether you need to change any configuration, the answer is no. No extra configuration is needed.

Thanks,
Shravan

On Sep 4, 2020, at 12:19 AM, Özkan KIRIK via Snort-devel <snort-devel () lists snort org<mailto:snort-devel () lists 
snort org>> wrote:

I'm still trying different versions to find where the bug exists.

- snort3.0.1.5 - detection and block action works properly
- snort3.0.2.1 - only sid 9000003 matches and blocking traffic. appid doesnt match any traffic.

There is something wrong about appid detection with snort3 build >= 3.0.2.1
All the builds after 3.0.2.* have this issue. I wrote that appid_stats have lines about wetransfer but after kill & 
restart snort3, I couldn't reproduce wetransfer detection.

tests are run with a freebsd+snort3 gateway and 1 windows client only.

- snort3.0.2.1 - appid_stats.log with similar traffic
# cat appid_stats.log
1599192367,DNS,3032,5497
1599192367,HTTPS,144450,2774175
1599192367,MDNS,3650,0
1599192367,ICMP,395,0
1599192367,DNS over HTTPS,5736,18574
1599192367,__unknown,25577,767

- snort3.0.1.5 - appid_stats.log with similar traffic
  # cat appid_stats.log
1599192609,Google,22731,201644
1599192609,Chrome,574,257
1599192609,HTTP,574,257
1599192609,NetBIOS-ns,3036,0
1599192609,HTTPS,37943,262317
1599192609,SSL client,29790,246317
1599192609,MDNS,3204,0
1599192609,WeTransfer,4886,39253
1599192609,Google Sign in,2173,5420
1599192609,DNS over HTTPS,6224,16712
1599192609,__unknown,2724,4220

On Fri, Sep 4, 2020 at 6:57 AM Özkan KIRIK <ozkan.kirik () gmail com<mailto:ozkan.kirik () gmail com>> wrote:
In addition to v3.0.2.5, appid_stats contains lines about wetransfer, facebook etc. But alert_json log don't have.
I think there is a bug about rule matching for appids

# grep -i wetransfer appid_stats.log
1599189911,WeTransfer,6560,3184
1599190202,WeTransfer,1951,1161
1599190803,WeTransfer,2086,6678
1599191404,WeTransfer,2086,6761
# grep -i wetransfer alert_json.txt
#

On Fri, Sep 4, 2020 at 6:38 AM Özkan KIRIK <ozkan.kirik () gmail com<mailto:ozkan.kirik () gmail com>> wrote:
Hello,

I am using FreeBSD stable/12 branch using netmap daq configuration.

snort3 is configured in inline mode with simple ruleset as below:

block ip any any -> any any ( msg: "block facebook"; appids:"facebook";  sid:9000000; )
block ip any any -> any any ( msg: "block wetransfer "; appids:"wetransfer";  sid:9000001; )
block ip any any -> any any ( msg: "block youtube"; appids:"youtube";  sid:9000002; )
block icmp any any -> any any ( msg: "icmp inline test";  sid:9000003; )

After upgrading from 3.0.1 to 3.0.2 appid detection not working.
same configuration with:
- snort3.0.1.2 - detection and block action works properly
- snort3.0.1.4 - detection and block action works properly
- snort3.0.2.4 - only sid 9000003 matches and blocking traffic. appid doesnt match any traffic.
- snort3.0.2.5 - only sid 9000003 matches and blocking traffic. appid doesnt match any traffic.

appid = { app_detector_dir = '/usr/local/etc/snort' }
rate_filter = { }
stream = { }
stream_ip = { }
stream_icmp = { }
stream_tcp = { }
stream_udp = { }
arp_spoof = { }
back_orifice = { }
dnp3 = { }
dns = { }
http_inspect = { }
http2_inspect = { }
imap = { }
modbus = { }
normalizer = { tcp = { ips = true } }
pop = { }
rpc_decode = { }
sip = { }
ssh = { }
ssl = { }
telnet = { }
dce_smb = { }
dce_tcp = { }
dce_udp = { }
dce_http_proxy = { }
dce_http_server = { }

In snort 3.0.2* do we need to change any configuration?

Regards
Özkan
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org<mailto:Snort-devel () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases Özkan KIRIK via Snort-devel (Sep 03)
- Re: Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases Özkan KIRIK via Snort-devel (Sep 03)
  - Re: Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases Özkan KIRIK via Snort-devel (Sep 03)
    - Re: Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases Shravan Rangarajuvenkata (shrarang) via Snort-devel (Sep 04)
    - Re: Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases Özkan KIRIK via Snort-devel (Sep 05)
    - Re: Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases Özkan KIRIK via Snort-devel (Sep 14)
    - Re: Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases Shravan Rangarajuvenkata (shrarang) via Snort-devel (Sep 23)