Snort mailing list archives
AppID and OpenVPN (snort 3 on FreeBSD 12.x)
From: mike tancsa <mike () sentex net>
Date: Wed, 11 Aug 2021 09:45:38 -0400
I am just starting to experiment with snort3 and was trying out some
local rulesets that I think should work, but are not. The first rule
does log, so so far so good
alert icmp $HOME_NET any -> 8.8.8.8/32 any (msg:"ICMP connection test";
sid:1000001; rev:1;)
8/11-09:27:26.408136 [**] [1:1000001:1] "ICMP connection test" [**]
[Priority: 0] {ICMP} 192.168.0.67 -> 8.8.8.8
But I cant get the second to fire for some reason.
alert udp any any -> any any ( msg:"OpenVPN found"; appids:"OpenVPN";
sid:1000002; rev:1; )
I am using UDP for the protocol, but its on a non standard port. I
think I added the port to the right location
(content_group_port_services_2pac_old.lua)
-- OpenVPN
{353, 1194, 6},
{353, 1194, 17},
{353, 11600, 17},
but it still does not pick it up.
Also, is it all just port based, or does the AppID engine have enough
smarts to recognize the protocol if its running on an arbitrary port ?
I am using snort3 from the ports. In the app ID stats, I do get
1628612851,__unknown,83634,820169
1628612851,DNS,1570,4699
1628612851,Firefox,10558,297761
1628612851,HTTP,41289,1290390
1628612851,OpenSSH,4743,4196
1628612851,RTP,606476,606476
1628612851,SSH,4743,4196
1628612851,IMAPS,15537,605189
1628612851,HTTPS,2036,6811
1628612851,MDNS,1520,0
I guess its just part of "unknown" ?
# snort -v -c /usr/local/etc/snort/snort.lua -i em0 -l /var/log/snort/
--------------------------------------------------
o")~ Snort++ 3.1.7.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
Lua Allowlist Keywords for /usr/local/etc/snort/snort.lua:
default_classifications, default_ftp_server, default_gtp,
default_hi_port_scan, default_low_port_scan,
default_med_port_scan,
default_references, default_smtp, default_variables,
default_wizard,
file_magic, ftp_command_specs, gtp_v0_info, gtp_v0_msg,
gtp_v1_info,
gtp_v1_msg, gtp_v2_info, gtp_v2_msg, http_methods,
icmp_hi_sweep,
icmp_low_sweep, icmp_med_sweep, ip_hi_decoy, ip_hi_dist,
ip_hi_proto,
ip_hi_sweep, ip_low_decoy, ip_low_dist, ip_low_proto,
ip_low_sweep,
ip_med_decoy, ip_med_dist, ip_med_proto, ip_med_sweep,
netflow_versions,
sip_methods, smtp_default_alt_max_command_lines,
tcp_hi_decoy, tcp_hi_dist,
tcp_hi_ports, tcp_hi_sweep, tcp_low_decoy, tcp_low_dist,
tcp_low_ports,
tcp_low_sweep, tcp_med_decoy, tcp_med_dist,
tcp_med_ports, tcp_med_sweep,
telnet_commands, udp_hi_decoy, udp_hi_dist,
udp_hi_ports, udp_hi_sweep,
udp_low_decoy, udp_low_dist, udp_low_ports,
udp_low_sweep, udp_med_decoy,
udp_med_dist, udp_med_ports, udp_med_sweep
ssh
hosts
host_cache
pop
so_proxy
stream_tcp
smtp
gtp_inspect
packets
dce_http_proxy
stream_icmp
normalizer
alerts
file_log
alert_fast
ips
process
binder
wizard
stream_udp
appid
file_id
ftp_data
search_engine
ftp_server
port_scan
dce_http_server
dce_tcp
dce_smb
telnet
ssl
sip
rpc_decode
netflow
iec104
http2_inspect
http_inspect
modbus
host_tracker
stream_user
stream_ip
back_orifice
classifications
dnp3
active
ftp_client
decode
daq
stream
references
arp_spoof
output
trace
dns
network
dce_udp
imap
stream_file
Finished /usr/local/etc/snort/snort.lua:
Loading
/usr/local/etc/snort/rules/snort3-community-rules/snort3-community.rules:
Finished
/usr/local/etc/snort/rules/snort3-community-rules/snort3-community.rules:
Loading ips.rules:
Loading /usr/local/etc/snort/rules/snort3-app-detect.rules:
Finished /usr/local/etc/snort/rules/snort3-app-detect.rules:
Loading /usr/local/etc/snort/rules/snort3-browser-chrome.rules:
Finished /usr/local/etc/snort/rules/snort3-browser-chrome.rules:
Loading /usr/local/etc/snort/rules/snort3-sql.rules:
Finished /usr/local/etc/snort/rules/snort3-sql.rules:
Loading /usr/local/etc/snort/rules/snort3-x11.rules:
Finished /usr/local/etc/snort/rules/snort3-x11.rules:
Loading /usr/local/etc/snort/rules/local.rules:
Finished /usr/local/etc/snort/rules/local.rules:
Finished ips.rules:
--------------------------------------------------
rule counts
total rules loaded: 1452
duplicate rules: 2
text rules: 867
builtin rules: 585
option chains: 1452
chain headers: 507
--------------------------------------------------
port rule counts
tcp udp icmp ip
any 648 4 1 0
src 135 2 0 0
dst 564 98 0 0
both 0 1 0 0
total 1347 105 1 0
--------------------------------------------------
ips policies rule stats
id loaded shared enabled file
0 1452 2 1452 /usr/local/etc/snort/snort.lua
--------------------------------------------------
flowbits
defined: 26
not checked: 16
not set: 4
--------------------------------------------------
service rule counts to-srv to-cli
dns: 89 2
drda: 2 0
ftp: 7 2
ftp-data: 0 17
http: 499 101
http2: 499 101
imap: 0 17
irc: 4 1
mysql: 1 0
netbios-ssn: 15 1
pop3: 0 17
smtp: 25 0
ssl: 14 31
telnet: 1 0
total: 1156 290
--------------------------------------------------
fast pattern port groups src dst any
packet: 14 30 2
--------------------------------------------------
fast pattern service groups to-srv to-cli
packet: 11 7
key: 2 0
header: 2 5
body: 2 0
file: 2 5
method: 2 0
--------------------------------------------------
search engine
instances: 80
patterns: 1801
pattern chars: 38436
num states: 29742
num match states: 1804
memory scale: KB
total memory: 841.234
pattern memory: 107.809
match list memory: 297.266
transition memory: 426.16
--------------------------------------------------
Inspection Policy : policy id 0 : /usr/local/etc/snort/snort.lua
--------------------------------------------------
appid:
app_detector_dir: /usr/local/etc/snort/appid
app_stats_period: 300
app_stats_rollover_size: 20971520
list_odp_detectors: disabled
tp_appid_stats_enable: disabled
tp_appid_config_dump: disabled
log_all_sessions: disabled
log_stats: enabled
memcap: 1048576
--------------------------------------------------
arp_spoof:
--------------------------------------------------
back_orifice:
--------------------------------------------------
binder:
bindings:
{ when = { role = server, proto = udp, ports
= 53 },
use = { type = dns } }
{ when = { role = server, proto = tcp, ports
= 53 },
use = { type = dns } }
{ when = { role = server, proto = tcp, ports
= 111 },
use = { type = rpc_decode } }
{ when = { role = server, proto = tcp, ports
= 502 },
use = { type = modbus } }
{ when = { role = server, proto = tcp, ports
= 2123 2152 3386 },
use = { type = gtp_inspect } }
{ when = { role = server, proto = tcp, ports
= 2404 },
use = { type = iec104 } }
{ when = { service = dcerpc, proto = tcp },
use = { type = dce_tcp } }
{ when = { service = dcerpc, proto = udp },
use = { type = dce_udp } }
{ when = { service = netflow, proto = udp },
use = { type = netflow } }
{ when = { service = netbios-ssn },
use = { type = dce_smb } }
{ when = { service = dce_http_server },
use = { type = dce_http_server } }
{ when = { service = dce_http_proxy },
use = { type = dce_http_proxy } }
{ when = { service = dnp3 },
use = { type = dnp3 } }
{ when = { service = dns },
use = { type = dns } }
{ when = { service = ftp },
use = { type = ftp_server } }
{ when = { service = ftp-data },
use = { type = ftp_data } }
{ when = { service = gtp },
use = { type = gtp_inspect } }
{ when = { service = imap },
use = { type = imap } }
{ when = { service = http },
use = { type = http_inspect } }
{ when = { service = http2 },
use = { type = http2_inspect } }
{ when = { service = iec104 },
use = { type = iec104 } }
{ when = { service = modbus },
use = { type = modbus } }
{ when = { service = pop3 },
use = { type = pop } }
{ when = { service = ssh },
use = { type = ssh } }
{ when = { service = sip },
use = { type = sip } }
{ when = { service = smtp },
use = { type = smtp } }
{ when = { service = ssl },
use = { type = ssl } }
{ when = { service = sunrpc },
use = { type = rpc_decode } }
{ when = { service = telnet },
use = { type = telnet } }
{ when = { },
use = { type = wizard } }
--------------------------------------------------
dce_http_proxy:
--------------------------------------------------
dce_http_server:
--------------------------------------------------
dce_smb:
limit_alerts: enabled
disable_defrag: disabled
max_frag_len: 65535
policy: WinXP
reassemble_threshold: 0
smb_fingerprint_policy: disabled
smb_max_chain: 3
smb_max_compound: 3
valid_smb_versions: all
smb_file_depth: 16384
smb_invalid_shares: none
smb_legacy_mode: disabled
smb_max_credit: 8192
--------------------------------------------------
dce_tcp:
limit_alerts: enabled
disable_defrag: disabled
max_frag_len: 65535
policy: WinXP
reassemble_threshold: 0
--------------------------------------------------
dce_udp:
limit_alerts: enabled
disable_defrag: disabled
max_frag_len: 65535
--------------------------------------------------
dnp3:
check_crc: disabled
--------------------------------------------------
dns:
--------------------------------------------------
file_id:
enable_type: enabled
type_depth: 1460
enable_signature: disabled
block_timeout_lookup: disabled
enable_capture: disabled
lookup_timeout: 2
max_files_cached: 65536
max_files_per_flow: 128
show_data_depth: 100
trace_type: disabled
trace_signature: disabled
trace_stream: disabled
verdict_delay: 0
--------------------------------------------------
file_log:
log_pkt_time: enabled
log_sys_time: disabled
--------------------------------------------------
ftp_client:
bounce: disabled
ignore_telnet_erase_cmds: disabled
max_resp_len: 4294967295
telnet_cmds: disabled
--------------------------------------------------
ftp_data:
--------------------------------------------------
ftp_server:
check_encrypted: disabled
def_max_param_len: 100
encrypted_traffic: disabled
ignore_data_chan: disabled
ignore_telnet_erase_cmds: disabled
telnet_cmds: disabled
print_cmds: disabled
--------------------------------------------------
gtp_inspect:
--------------------------------------------------
http2_inspect:
concurrent_streams_limit: 100
--------------------------------------------------
http_inspect:
request_depth: -1 (unlimited)
response_depth: -1 (unlimited)
unzip: enabled
normalize_utf: enabled
decompress_pdf: disabled
decompress_swf: disabled
decompress_zip: disabled
script_detection: disabled
normalize_javascript: disabled
max_javascript_whitespaces: 200
js_normalization_depth: 0
percent_u: disabled
utf8: enabled
utf8_bare_byte: disabled
iis_unicode: disabled
iis_unicode_code_page: 1252
iis_double_decode: enabled
oversize_dir_length: 300
backslash_to_slash: enabled
plus_to_space: enabled
simplify_path: enabled
xff_headers: x-forwarded-for true-client-ip
request_body_app_detection: disabled
--------------------------------------------------
iec104:
--------------------------------------------------
imap:
b64_decode_depth: -1 (unlimited)
qp_decode_depth: -1 (unlimited)
uu_decode_depth: -1 (unlimited)
bitenc_decode_depth: -1 (unlimited)
decompress_pdf: disabled
decompress_swf: disabled
decompress_zip: disabled
--------------------------------------------------
modbus:
--------------------------------------------------
netflow:
update_timeout: 3600
--------------------------------------------------
normalizer:
ip4: disabled
ip6: disabled
icmp4: disabled
icmp6: disabled
tcp: enabled
tcp: { ecn = disabled, block = disabled, rsv =
disabled, pad = disabled, req_urg
= disabled, req_pay = disabled, req_urp =
disabled, urp = disabled, ips =
enabled, trim = disabled }
--------------------------------------------------
pop:
b64_decode_depth: -1 (unlimited)
qp_decode_depth: -1 (unlimited)
uu_decode_depth: -1 (unlimited)
bitenc_decode_depth: -1 (unlimited)
decompress_pdf: disabled
decompress_swf: disabled
decompress_zip: disabled
--------------------------------------------------
port_scan:
memcap: 10485760
protos: all
scan_types: all
alert_all: disabled
include_midstream: disabled
tcp_window: 90
udp_window: 90
ip_window: 90
icmp_window: 90
--------------------------------------------------
rpc_decode:
--------------------------------------------------
sip:
ignore_call_channel: disabled
max_call_id_len: 256
max_contact_len: 256
max_content_len: 1024
max_dialogs: 4
max_from_len: 256
max_requestName_len: 20
max_to_len: 256
max_uri_len: 256
max_via_len: 1024
methods: invite cancel ack bye register options
--------------------------------------------------
smtp:
normalize: none
normalize_cmds: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND
ESOM ETRN EVFY EXPN HELO HELP
IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML
SEND STARTTLS SOML TICK TIME
TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR
XEXCH50 XGEN XLICENSE
X-LINK2STATE XQUE XSTA XTRN XUSR CHUNKING
X-ADAT X-DRCP X-ERCP X-EXCH50
ignore_tls_data: disabled
max_command_line_len: 512
alt_max_command_line_len: { {ATRN, 255}, {AUTH, 246}, {BDAT, 255},
{DATA, 246}, {DEBUG, 255}, {EHLO,
500}, {EMAL, 255}, {ESAM, 255}, {ESND, 255},
{ESOM, 255}, {ETRN, 500},
{EVFY, 255}, {EXPN, 255}, {HELO, 500}, {HELP,
500}, {IDENT, 255}, {MAIL,
260}, {NOOP, 255}, {ONEX, 246}, {QUEU, 246},
{QUIT, 246}, {RCPT, 300},
{RSET, 255}, {SAML, 246}, {SEND, 246}, {SIZE,
255}, {STARTTLS, 246}, {SOML,
246}, {TICK, 246}, {TIME, 246}, {TURN, 246},
{TURNME, 246}, {VERB, 246},
{VRFY, 255}, {X-EXPS, 246}, {XADR, 246},
{XAUTH, 246}, {XCIR, 246},
{XEXCH50, 246}, {XGEN, 246}, {XLICENSE, 246},
{X-LINK2STATE, 246}, {XQUE,
246}, {XSTA, 246}, {XTRN, 246}, {XUSR, 246} }
max_header_line_len: 1000
max_auth_command_line_len: 1000
max_response_line_length: 512
xlink2state: alert
invalid_cmds: none
auth_cmds: AUTH X-EXPS XAUTH
binary_data_cmds: BDAT XEXCH50
data_cmds: DATA
valid_cmds: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND
ESOM ETRN EVFY EXPN HELO HELP
IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML
SEND SIZE STARTTLS SOML TICK
TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH
XCIR XEXCH50 XGEN XLICENSE
X-LINK2STATE XQUE XSTA XTRN XUSR * CHUNKING
X-ADAT X-DRCP X-ERCP X-EXCH50
b64_decode_depth: -1 (unlimited)
qp_decode_depth: -1 (unlimited)
uu_decode_depth: -1 (unlimited)
bitenc_decode_depth: -1 (unlimited)
ignore_data: disabled
decompress_pdf: disabled
decompress_swf: disabled
decompress_zip: disabled
log_mailfrom: disabled
log_rcptto: disabled
log_filename: enabled
log_email_hdrs: disabled
--------------------------------------------------
so_proxy:
--------------------------------------------------
ssh:
max_encrypted_packets: 25
max_client_bytes: 19600
max_server_version_len: 80
--------------------------------------------------
ssl:
trust_servers: disabled
max_heartbeat_length: 0
--------------------------------------------------
stream:
ip_frags_only: disabled
max_flows: 476288
max_aux_ip: 16
pruning_timeout: 30
ip_cache: { idle_timeout = 180, cap_weight = 0 }
tcp_cache: { idle_timeout = 3600, cap_weight = 11000 }
udp_cache: { idle_timeout = 180, cap_weight = 0 }
icmp_cache: { idle_timeout = 180, cap_weight = 0 }
user_cache: { idle_timeout = 180, cap_weight = 0 }
file_cache: { idle_timeout = 180, cap_weight = 32 }
--------------------------------------------------
stream_file:
upload: disabled
--------------------------------------------------
stream_icmp:
session_timeout: 30
--------------------------------------------------
stream_ip:
max_frags: 8192
max_overlaps: 0
min_frag_length: 0
min_ttl: 1
policy: linux
session_timeout: 30
--------------------------------------------------
stream_tcp:
flush_factor: 0
max_pdu: 16384
max_window: 0
no_ack: disabled
overlap_limit: 0
policy: bsd
queue_limit: { max_bytes = 1048576, max_segments = 2621 }
reassemble_async: enabled
require_3whs: -1 (disabled)
session_timeout: 30
small_segments: { count = 0, maximum_size = 0 }
track_only: disabled
--------------------------------------------------
stream_udp:
session_timeout: 30
--------------------------------------------------
stream_user:
session_timeout: 30
--------------------------------------------------
telnet:
ayt_attack_thresh: -1
check_encrypted: disabled
encrypted_traffic: disabled
normalize: disabled
--------------------------------------------------
wizard:
--------------------------------------------------
pcap DAQ configured to passive.
--------------------------------------------------
host_cache
memcap: 8388608 bytes
Commencing packet processing
++ [0] em0
Instance 0 daq pool size: 256
Instance 0 daq batch size: 64
---Mike
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel
Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- AppID and OpenVPN (snort 3 on FreeBSD 12.x) mike tancsa (Aug 13)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) Shravan Rangarajuvenkata (shrarang) via Snort-devel (Aug 13)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) mike tancsa (Aug 15)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) 文浩 via Snort-devel (Aug 30)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) Costas Kleopa (ckleopa) via Snort-devel (Aug 30)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) 文浩 via Snort-devel (Aug 30)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) mike tancsa (Aug 15)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) Shravan Rangarajuvenkata (shrarang) via Snort-devel (Aug 13)