AppId FTP service detector problem

[Meridoff via Snort-devel <snort-devel () lists snort org>]

Hello, I have manual rules with appid:ftp ,ftp_data and other ftp_* appids
rules.

None of them are working on FTP-traffic if I use snort3-malware-other rules
(and may be some others).

If I use only my manual appid ftp rule, then all is OK:
ftp/ftp_data/ftp_passive and so on are WORKS fine!

When I include  snort3-malware-other rule file in config : manual appid
rule doesn't work.

Inspectors ftp-server/client/wizard/binder are in config.

I've recognized that some rules with sid 21256 and 21255 can fluences to
this problem.

Some AppidDebug in my log when problem occurs:

Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0 ftp service candidate returned in-process (10)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0 smtp service candidate returned no-match (100)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0 ftp service candidate returned in-process (10)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0 pop3 client candidate returned in-process (10)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0 ftp service candidate returned success (0)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0 Published event for changes: service, version
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0 ftp service detector returned in-process (10)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0 pop3 client candidate returned success (0)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0 ftp service detector returned in-process (10)
Oct 23 18:55:41 ns snort[29636]: message repeated 11 times: [ AppIdDbg
10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector
returned in-process (10)]
Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0 Related flow created for 10.0.1.3-0 -> 193.232.174.1-44689 6
Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0 ftp service detector returned in-process (10)
Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0 Published event for changes: payload
Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49284 -> 193.232.174.1
44689 6 AS=0 ID=0 Published event for changes: service
Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49284 -> 193.232.174.1
44689 6 AS=0 ID=0* Ignoring connection with service FTP Data (166)*
Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0 *ftp service detector returned in-process (10)*
Oct 23 18:55:41 ns snort[29636]: message repeated 2 times: [ AppIdDbg
10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector
returned in-process (10)]
Oct 23 19:05:41 ns snort[29636]: AppIdDbg 193.232.174.1 21 -> 10.0.1.3
49283 6 AS=0 ID=0 New AppId mid-stream session
Oct 23 19:05:41 ns snort[29636]: AppIdDbg 193.232.174.1 21 -> 10.0.1.3
49283 6 AS=0 ID=0 ftp service detector returned in-process (10)
Oct 23 19:05:41 ns snort[29636]: AppIdDbg 193.232.174.1 21 -> 10.0.1.3
49283 6 AS=0 ID=0 Published event for changes: service
Oct 23 19:05:42 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0* Packet out-of-order, not-ok mid-stream flow*

Thanks.

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!