Snort mailing list archives

Re: AppId FTP service detector problem

From: Rdtsc via Snort-devel <snort-devel () lists snort org>
Date: Fri, 20 Nov 2020 18:08:57 +0300

Sure, will do that.

Sending pcaps:

1. ftpBad/ftpOk - are pcaps for bad and good cases from *Wireshark* on
Windows 7 Client (where Ftp client runs)

2. ftpGateBad/ftpGateOk - are pcaps for bad and good cases from *tcpdump*
on Linux Gate (where snort runs)




пт, 20 нояб. 2020 г. в 09:07, Kani Murthi (kamurthi) <kamurthi () cisco com>:

Hi,

It looks like the pcap has been captured with “any” device option, which
is causing psedo protocol issue. Could you capture the traffic with actual
interface? Also, could you run it against snort3 to avoid any pcap related
errors?



Thanks,

Kani

*From: *Meridoff <oagvozd () gmail com>
*Date: *Tuesday, November 10, 2020 at 2:41 PM
*To: *"Shravan Rangarajuvenkata (shrarang)" <shrarang () cisco com>
*Subject: *Re: [Snort-devel] AppId FTP service detector problem



Sure, here it is.



My client is WIndows7 running FileZilla to go to anonymous ftp at
ftp.botik.ru.



My gate is Linux with snort 3.0.1 (build 4), Lua 5.1, that do nat
masquerade for  Internet access from LAN.



Snort is in NFQ/TAP mode. Nfqueue  rule is setup OK and works. Using only
1 thread in snort (for simplicity).



Configs and pcaps are included.



Files description:



1. configBAD (when no alerts at all) - is the same as configOK (when
alerts work fine), except included snort-malware-other.rules

2. m.rules - is my appid rules, in case of configOK rule "FTP" is alerted

3. pcap files - are the same FTP traffic for both cases - OK and BAD.



ср, 4 нояб. 2020 г. в 17:44, Shravan Rangarajuvenkata (shrarang) <
shrarang () cisco com>:

We tried to reproduce this issue locally but could not.



Is it possible for you to send a pcap with the traffic for which you are
seeing this issue? Can you also send your snort3 configuration (the Lua
files)?



Thanks,

Shravan



*From: *Snort-devel <snort-devel-bounces () lists snort org> on behalf of
"Shravan Rangarajuvenkata (shrarang) via Snort-devel" <
snort-devel () lists snort org>
*Reply-To: *"Shravan Rangarajuvenkata (shrarang)" <shrarang () cisco com>
*Date: *Friday, October 23, 2020 at 5:12 PM
*To: *Meridoff <oagvozd () gmail com>, "snort-devel () lists snort org" <
snort-devel () lists snort org>
*Subject: *Re: [Snort-devel] AppId FTP service detector problem



Thanks for reporting the issue! We will try to reproduce this issue
locally and will reach out to you if we need any help.



Thanks,

Shravan



*From: *Snort-devel <snort-devel-bounces () lists snort org> on behalf of
Meridoff via Snort-devel <snort-devel () lists snort org>
*Reply-To: *Meridoff <oagvozd () gmail com>
*Date: *Friday, October 23, 2020 at 2:17 PM
*To: *"snort-devel () lists snort org" <snort-devel () lists snort org>
*Subject: *[Snort-devel] AppId FTP service detector problem



Hello, I have manual rules with appid:ftp ,ftp_data and other ftp_* appids
rules.



None of them are working on FTP-traffic if I use snort3-malware-other
rules (and may be some others).



If I use only my manual appid ftp rule, then all is OK:
ftp/ftp_data/ftp_passive and so on are WORKS fine!



When I include  snort3-malware-other rule file in config : manual appid
rule doesn't work.



Inspectors ftp-server/client/wizard/binder are in config.



I've recognized that some rules with sid 21256 and 21255 can fluences to
this problem.



Some AppidDebug in my log when problem occurs:



Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0 ftp service candidate returned in-process (10)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0 smtp service candidate returned no-match (100)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0 ftp service candidate returned in-process (10)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0 pop3 client candidate returned in-process (10)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0 ftp service candidate returned success (0)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0 Published event for changes: service, version
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0 ftp service detector returned in-process (10)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0 pop3 client candidate returned success (0)
Oct 23 18:55:35 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0 ftp service detector returned in-process (10)
Oct 23 18:55:41 ns snort[29636]: message repeated 11 times: [ AppIdDbg
10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector
returned in-process (10)]
Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0 Related flow created for 10.0.1.3-0 -> 193.232.174.1-44689 6
Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0 ftp service detector returned in-process (10)
Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0 Published event for changes: payload
Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49284 -> 193.232.174.1
44689 6 AS=0 ID=0 Published event for changes: service
Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49284 -> 193.232.174.1
44689 6 AS=0 ID=0* Ignoring connection with service FTP Data (166)*
Oct 23 18:55:41 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0 *ftp service detector returned in-process (10)*
Oct 23 18:55:41 ns snort[29636]: message repeated 2 times: [ AppIdDbg
10.0.1.3 49283 -> 193.232.174.1 21 6 AS=0 ID=0 ftp service detector
returned in-process (10)]
Oct 23 19:05:41 ns snort[29636]: AppIdDbg 193.232.174.1 21 -> 10.0.1.3
49283 6 AS=0 ID=0 New AppId mid-stream session
Oct 23 19:05:41 ns snort[29636]: AppIdDbg 193.232.174.1 21 -> 10.0.1.3
49283 6 AS=0 ID=0 ftp service detector returned in-process (10)
Oct 23 19:05:41 ns snort[29636]: AppIdDbg 193.232.174.1 21 -> 10.0.1.3
49283 6 AS=0 ID=0 Published event for changes: service
Oct 23 19:05:42 ns snort[29636]: AppIdDbg 10.0.1.3 49283 -> 193.232.174.1
21 6 AS=0 ID=0* Packet out-of-order, not-ok mid-stream flow*



Thanks.

Attachment: ftpGateBad.pcap
Description:

Attachment: ftpBAD.pcapng
Description:

Attachment: ftpGateOk.pcap
Description:

Attachment: ftpOK.pcapng
Description:

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

AppId FTP service detector problem Meridoff via Snort-devel (Oct 23)
- Re: AppId FTP service detector problem Shravan Rangarajuvenkata (shrarang) via Snort-devel (Oct 23)
  - Re: AppId FTP service detector problem Sg via Snort-devel (Oct 26)
    - Re: AppId FTP service detector problem Steve G via Snort-devel (Oct 27)
  - Re: AppId FTP service detector problem Shravan Rangarajuvenkata (shrarang) via Snort-devel (Nov 04)
    - Re: AppId FTP service detector problem Meridoff via Snort-devel (Nov 05)
    - Message not available
    - Message not available
    - Message not available
    - Re: AppId FTP service detector problem Kani Murthi (kamurthi) via Snort-devel (Nov 23)
    - Re: AppId FTP service detector problem Rdtsc via Snort-devel (Nov 20)
    - Re: AppId FTP service detector problem Kani Murthi (kamurthi) via Snort-devel (Nov 23)
    - Re: AppId FTP service detector problem Steve G via Snort-devel (Dec 11)
    - Re: AppId FTP service detector problem Joel Esler (jesler) via Snort-devel (Dec 14)
- Re: AppId FTP service detector problem Sg via Snort-devel (Oct 26)