Re: Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases

["Shravan Rangarajuvenkata \(shrarang\) via Snort-devel" <snort-devel () lists snort org>]

Hello Ozkan,

Thanks for providing more information about repro!  I don’t see the search method you configured in the configuration 
below. Can you let us know if you are using hyper scan for searching? If you are using hyper scan, can you please 
disable it and let us know if that resolves your issue?

Thanks,
Shravan

On Sep 14, 2020, at 3:19 PM, Özkan KIRIK <ozkan.kirik () gmail com<mailto:ozkan.kirik () gmail com>> wrote:

Hello,

I found the right way for reproduce the bug.

The main bug is related with rule reload.
1st  test - Start with empty ruleset, reload with 1 appid block rule: detection not works
2nd test - Start with 1 appid block rule, no reload: detection works
3rd test - Start with 1 appid block rule, reload with same rule: detection stops

Finally, if snort reloaded (killall -HUP snort), appid detection stops working.

All versions >= 3.0.2.1 even 3.0.2.6 are affected.

Thanks,
Ozkan.

On Sat, Sep 5, 2020 at 1:02 PM Özkan KIRIK <ozkan.kirik () gmail com<mailto:ozkan.kirik () gmail com>> wrote:
Hello Shravan,

You can repeat the bug with this scenario:

Network:
[windows client] -> [snort3 inline bridge] -> [nat box] -> [internet]

IPS rule:
block ip any any -> any any ( msg: "block wetransfer "; appids:"wetransfer";  sid:9000001; )

config:
appid = { app_detector_dir = '/usr/local/etc/snort',  log_stats = true }

Traffic:
Open web browser on windows client and visit https://www.wetransfer.com/.

Thanks,
Ozkan

On Fri, Sep 4, 2020 at 8:19 PM Shravan Rangarajuvenkata (shrarang) <shrarang () cisco com<mailto:shrarang () cisco 
com>> wrote:
Hello Ozkan,

Thanks for reporting the issue! Can you please provide us the pcaps that can reproduce this issue? Regarding your 
question about whether you need to change any configuration, the answer is no. No extra configuration is needed.

Thanks,
Shravan

On Sep 4, 2020, at 12:19 AM, Özkan KIRIK via Snort-devel <snort-devel () lists snort org<mailto:snort-devel () lists 
snort org>> wrote:

I'm still trying different versions to find where the bug exists.

- snort3.0.1.5 - detection and block action works properly
- snort3.0.2.1 - only sid 9000003 matches and blocking traffic. appid doesnt match any traffic.

There is something wrong about appid detection with snort3 build >= 3.0.2.1
All the builds after 3.0.2.* have this issue. I wrote that appid_stats have lines about wetransfer but after kill & 
restart snort3, I couldn't reproduce wetransfer detection.

tests are run with a freebsd+snort3 gateway and 1 windows client only.

- snort3.0.2.1 - appid_stats.log with similar traffic
# cat appid_stats.log
1599192367,DNS,3032,5497
1599192367,HTTPS,144450,2774175
1599192367,MDNS,3650,0
1599192367,ICMP,395,0
1599192367,DNS over HTTPS,5736,18574
1599192367,__unknown,25577,767

- snort3.0.1.5 - appid_stats.log with similar traffic
  # cat appid_stats.log
1599192609,Google,22731,201644
1599192609,Chrome,574,257
1599192609,HTTP,574,257
1599192609,NetBIOS-ns,3036,0
1599192609,HTTPS,37943,262317
1599192609,SSL client,29790,246317
1599192609,MDNS,3204,0
1599192609,WeTransfer,4886,39253
1599192609,Google Sign in,2173,5420
1599192609,DNS over HTTPS,6224,16712
1599192609,__unknown,2724,4220

On Fri, Sep 4, 2020 at 6:57 AM Özkan KIRIK <ozkan.kirik () gmail com<mailto:ozkan.kirik () gmail com>> wrote:
In addition to v3.0.2.5, appid_stats contains lines about wetransfer, facebook etc. But alert_json log don't have.
I think there is a bug about rule matching for appids

# grep -i wetransfer appid_stats.log
1599189911,WeTransfer,6560,3184
1599190202,WeTransfer,1951,1161
1599190803,WeTransfer,2086,6678
1599191404,WeTransfer,2086,6761
# grep -i wetransfer alert_json.txt
#

On Fri, Sep 4, 2020 at 6:38 AM Özkan KIRIK <ozkan.kirik () gmail com<mailto:ozkan.kirik () gmail com>> wrote:
Hello,

I am using FreeBSD stable/12 branch using netmap daq configuration.

snort3 is configured in inline mode with simple ruleset as below:

block ip any any -> any any ( msg: "block facebook"; appids:"facebook";  sid:9000000; )
block ip any any -> any any ( msg: "block wetransfer "; appids:"wetransfer";  sid:9000001; )
block ip any any -> any any ( msg: "block youtube"; appids:"youtube";  sid:9000002; )
block icmp any any -> any any ( msg: "icmp inline test";  sid:9000003; )

After upgrading from 3.0.1 to 3.0.2 appid detection not working.
same configuration with:
- snort3.0.1.2 - detection and block action works properly
- snort3.0.1.4 - detection and block action works properly
- snort3.0.2.4 - only sid 9000003 matches and blocking traffic. appid doesnt match any traffic.
- snort3.0.2.5 - only sid 9000003 matches and blocking traffic. appid doesnt match any traffic.

appid = { app_detector_dir = '/usr/local/etc/snort' }
rate_filter = { }
stream = { }
stream_ip = { }
stream_icmp = { }
stream_tcp = { }
stream_udp = { }
arp_spoof = { }
back_orifice = { }
dnp3 = { }
dns = { }
http_inspect = { }
http2_inspect = { }
imap = { }
modbus = { }
normalizer = { tcp = { ips = true } }
pop = { }
rpc_decode = { }
sip = { }
ssh = { }
ssl = { }
telnet = { }
dce_smb = { }
dce_tcp = { }
dce_udp = { }
dce_http_proxy = { }
dce_http_server = { }

In snort 3.0.2* do we need to change any configuration?

Regards
Özkan
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org<mailto:Snort-devel () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort!


_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!