Snort mailing list archives
Re: AppId FTP service detector problem
From: "Shravan Rangarajuvenkata \(shrarang\) via Snort-devel" <snort-devel () lists snort org>
Date: Wed, 4 Nov 2020 14:44:02 +0000
We tried to reproduce this issue locally but could not. Is it possible for you to send a pcap with the traffic for which you are seeing this issue? Can you also send your snort3 configuration (the Lua files)? Thanks, Shravan From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of "Shravan Rangarajuvenkata (shrarang) via Snort-devel" <snort-devel () lists snort org> Reply-To: "Shravan Rangarajuvenkata (shrarang)" <shrarang () cisco com> Date: Friday, October 23, 2020 at 5:12 PM To: Meridoff <oagvozd () gmail com>, "snort-devel () lists snort org" <snort-devel () lists snort org> Subject: Re: [Snort-devel] AppId FTP service detector problem Thanks for reporting the issue! We will try to reproduce this issue locally and will reach out to you if we need any help. Thanks, Shravan From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Meridoff via Snort-devel <snort-devel () lists snort org> Reply-To: Meridoff <oagvozd () gmail com> Date: Friday, October 23, 2020 at 2:17 PM To: "snort-devel () lists snort org" <snort-devel () lists snort org> Subject: [Snort-devel] AppId FTP service detector problem Hello, I have manual rules with appid:ftp ,ftp_data and other ftp_* appids rules. None of them are working on FTP-traffic if I use snort3-malware-other rules (and may be some others). If I use only my manual appid ftp rule, then all is OK: ftp/ftp_data/ftp_passive and so on are WORKS fine! When I include snort3-malware-other rule file in config : manual appid rule doesn't work. Inspectors ftp-server/client/wizard/binder are in config. I've recognized that some rules with sid 21256 and 21255 can fluences to this problem. Some AppidDebug in my log when problem occurs: Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service candidate returned in-process (10) Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 smtp service candidate returned no-match (100) Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service candidate returned in-process (10) Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 pop3 client candidate returned in-process (10) Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service candidate returned success (0) Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 Published event for changes: service, version Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector returned in-process (10) Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 pop3 client candidate returned success (0) Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector returned in-process (10) Oct 23 18:55:41 ns snort[29636]: message repeated 11 times: [ AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector returned in-process (10)] Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 Related flow created for 10.0.1.3-0 -> 193.232.174.1-44689 6 Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector returned in-process (10) Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 Published event for changes: payload Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49284 -> 193.232.174.1 44689 6 AS=0 ID=0 Published event for changes: service Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49284 -> 193.232.174.1 44689 6 AS=0 ID=0 Ignoring connection with service FTP Data (166) Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector returned in-process (10) Oct 23 18:55:41 ns snort[29636]: message repeated 2 times: [ AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector returned in-process (10)] Oct 23 19:05:41 ns snort[29636]: AppIdDbg 193.232.174.1 21 -> 10.0.1.3 49283 6 AS=0 ID=0 New AppId mid-stream session Oct 23 19:05:41 ns snort[29636]: AppIdDbg 193.232.174.1 21 -> 10.0.1.3 49283 6 AS=0 ID=0 ftp service detector returned in-process (10) Oct 23 19:05:41 ns snort[29636]: AppIdDbg 193.232.174.1 21 -> 10.0.1.3 49283 6 AS=0 ID=0 Published event for changes: service Oct 23 19:05:42 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 Packet out-of-order, not-ok mid-stream flow Thanks.
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- AppId FTP service detector problem Meridoff via Snort-devel (Oct 23)
- Re: AppId FTP service detector problem Shravan Rangarajuvenkata (shrarang) via Snort-devel (Oct 23)
- Re: AppId FTP service detector problem Sg via Snort-devel (Oct 26)
- Re: AppId FTP service detector problem Steve G via Snort-devel (Oct 27)
- Re: AppId FTP service detector problem Shravan Rangarajuvenkata (shrarang) via Snort-devel (Nov 04)
- Re: AppId FTP service detector problem Meridoff via Snort-devel (Nov 05)
- Message not available
- Message not available
- Message not available
- Re: AppId FTP service detector problem Kani Murthi (kamurthi) via Snort-devel (Nov 23)
- Re: AppId FTP service detector problem Rdtsc via Snort-devel (Nov 20)
- Re: AppId FTP service detector problem Kani Murthi (kamurthi) via Snort-devel (Nov 23)
- Re: AppId FTP service detector problem Steve G via Snort-devel (Dec 11)
- Re: AppId FTP service detector problem Joel Esler (jesler) via Snort-devel (Dec 14)
- Re: AppId FTP service detector problem Sg via Snort-devel (Oct 26)
- Re: AppId FTP service detector problem Shravan Rangarajuvenkata (shrarang) via Snort-devel (Oct 23)