Snort mailing list archives

Re: snort3: appid can not detect ssh

From: "Al Lewis \(allewi\) via Snort-devel" <snort-devel () lists snort org>
Date: Wed, 27 Apr 2022 13:27:14 +0000

Hello,

Do you have a config file that you can share?


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi () cisco com<mailto:allewi () cisco com>



From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Meridoff via Snort-devel <snort-devel () lists 
snort org>
Reply-To: Meridoff <oagvozd () gmail com>
Date: Wednesday, April 27, 2022 at 6:58 AM
To: "snort-devel () lists snort org" <snort-devel () lists snort org>
Subject: [Snort-devel] snort3: appid can not detect ssh

Hello, I use snort3.1.20 and try to detect appid OpenSsh .
I've setup inspector ssh, binder, stream inspectors, and made ssh request through router srv1.
All appids are loaded in snort.

No ssh detected, In log I can see:

Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 New AppId session
Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 Published event for changes: 
created
Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 SSH event handler read SSH 
version string with vendor OpenSSH and version 8.3
Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 No service candidate, wait for 
snort service inspection
Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 SSH event handler read SSH 
version string with vendor OpenSSH and version 8.2p1
Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 SSH event handler received 
valid key exchange
Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg handle: serv.fin:1 cli.fin:0
Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 Packet out-of-order, not-ok 
flow
Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 stopped service/client 
discovery
Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 Published event for changes: 
service


Line "handle: serv.fin:1 cli.fin:0" from log is my debug in void SshEventHandler::handle(DataEvent& event, Flow* flow) 
function before "if (data->service_info.finished and data->client_info.finished)" code line.

Is it bug or smth wrong with my setup?

Thanks

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

snort3: appid can not detect ssh Meridoff via Snort-devel (Apr 27)
- Re: snort3: appid can not detect ssh Al Lewis (allewi) via Snort-devel (Apr 27)
  - Re: snort3: appid can not detect ssh Meridoff via Snort-devel (Apr 27)
- <Possible follow-ups>
- snort3: appid can not detect ssh Costas Kleopa (ckleopa) via Snort-devel (Apr 28)