snort3: appid can not detect ssh

["Costas Kleopa \(ckleopa\) via Snort-devel" <snort-devel () lists snort org>]

Adding the AppID distribution list.

Meridoff can you also tell us what kind of IPS rule are you using for triggering this traffic?

Do you have the complete output of snorts logging when the pcap is tested also?

Thanks,
Costas

On Apr 27, 2022, at 5:50 PM, Meridoff via Snort-devel <snort-devel () lists snort org> wrote:


Yes, I do. My config (attached too):

HOME_NET = "any"
EXTERNAL_NET = "any"
dofile("/var/lib/snort/snort_defaults.lua")
dofile("/var/lib/snort/file_magic.lua")
references = default_references
classifications = default_classifications
output = { logdir="/var/log/snort/", show_year=true}
process = { daemon=true }
snort = { ["-e"] = true, ["-M"] = true, ["--create-pidfile"] = true,    ["-z"] = 1, ["--id-zero"] = true , ["-Q"] = 
true}
ips = { mode = "inline", enable_builtin_rules = false, variables = default_variables }
perf_monitor = { base = false, output = "file", format = "text" }
alerts = { order ="pass reset block drop alert log" }
binder={}
wizard = default_wizard
alert_fast = {file=true}
stream={}
stream_tcp={}
stream_udp={}
http_inspect={}
ssl={}
appid = { app_stats_rollover_size=0, app_detector_dir = "/etc/snort/openappid/" }
ssh={}
stream_icmp={}
stream_ip={}
stream_user={}
binder[1]={ use = { type = "ssh" }, when = { service = "ssh" } }
binder[2]={ use = { type = "ssl" }, when = { service = "ssl" } }
binder[3]={ use = { type = "http_inspect" }, when = { service = "http" } }
binder[4]={ use = { type = "wizard" } }
daq = { module_dirs = { "/usr/lib/daq" } }
daq.inputs = {'1'}
daq.modules = { { name = 'nfq', mode='inline' } }
daq.modules[1].variables = { 'debug'}


Additional info: problem exists when connection was made between Linux with OpenSSH 8.3p1 to Linux Ubuntu with OpenSSH 
8.2p1.

I have such log in this case:

Apr 28 00:17:16 srv1 snort[2473]: AppIdDbg 10.30.1.2 22 -> 192.168.1.3 43490 6 AS=0 ID=0 New AppId session
Apr 28 00:17:16 srv1 snort[2473]: AppIdDbg 10.30.1.2 22 -> 192.168.1.3 43490 6 AS=0 ID=0 Published event for changes: 
created
Apr 28 00:17:16 srv1 snort[2473]: AppIdDbg 192.168.1.3 43490 -> 10.30.1.2 22 6 AS=0 ID=0 SSH event handler read SSH 
version string with vendor OpenSSH and version 8.2p1
Apr 28 00:17:16 srv1 snort[2473]: AppIdDbg 192.168.1.3 43490 -> 10.30.1.2 22 6 AS=0 ID=0 No service candidate, wait for 
snort service inspection
Apr 28 00:17:16 srv1 snort[2473]: AppIdDbg 192.168.1.3 43490 -> 10.30.1.2 22 6 AS=0 ID=0 SSH event handler read SSH 
version string with vendor OpenSSH and version 8.3
Apr 28 00:17:16 srv1 snort[2473]: AppIdDbg 192.168.1.3 43490 -> 10.30.1.2 22 6 AS=0 ID=0 Packet out-of-order, not-ok 
flow
Apr 28 00:17:16 srv1 snort[2473]: AppIdDbg 192.168.1.3 43490 -> 10.30.1.2 22 6 AS=0 ID=0 stopped service/client 
discovery
Apr 28 00:17:16 srv1 snort[2473]: AppIdDbg 192.168.1.3 43490 -> 10.30.1.2 22 6 AS=0 ID=0 Published event for changes: 
service



When I make connection for example from WIndows WinSCP (proto WInSCP) to Ubuntu OpenSSH 8.2p1 - all OK and I have such 
log:
Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg 10.30.1.3 49166 -> 192.168.1.3 22 6 AS=0 ID=0 New AppId session
Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg 10.30.1.3 49166 -> 192.168.1.3 22 6 AS=0 ID=0 Published event for changes: 
created
Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg 10.30.1.3 49166 -> 192.168.1.3 22 6 AS=0 ID=0 No service candidate, wait for 
snort service inspection
Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg 10.30.1.3 49166 -> 192.168.1.3 22 6 AS=0 ID=0 SSH event handler read SSH 
version string with vendor OpenSSH and version 8.2p1
Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg 10.30.1.3 49166 -> 192.168.1.3 22 6 AS=0 ID=0 SSH event handler read SSH 
version string with vendor WinSCP and version release_5.1
7.7
Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg 10.30.1.3 49166 -> 192.168.1.3 22 6 AS=0 ID=0 SSH event handler received 
valid key exchange
Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg handle: serv.fin:1 cli.fin:0
Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg 10.30.1.3 49166 -> 192.168.1.3 22 6 AS=0 ID=0 SSH event handler received 
valid key exchange
Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg handle: serv.fin:1 cli.fin:1
Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg: client_success: vendor=WinSCP
Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg 10.30.1.3 49166 -> 192.168.1.3 22 6 AS=0 ID=0 SSH event handler identified 
client with AppId 4658
Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg 10.30.1.3 49166 -> 192.168.1.3 22 6 AS=0 ID=0 SSH event handler service 
detected
Apr 28 00:20:48 srv1 snort[2473]: AppIdDbg 10.30.1.3 49166 -> 192.168.1.3 22 6 AS=0 ID=0 Published event for changes: 
service, client, service-info, client-info

ср, 27 апр. 2022 г. в 16:27, Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>>:
Hello,

Do you have a config file that you can share?


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi () cisco com<mailto:allewi () cisco com>



From: Snort-devel <snort-devel-bounces () lists snort org<mailto:snort-devel-bounces () lists snort org>> on behalf of 
Meridoff via Snort-devel <snort-devel () lists snort org<mailto:snort-devel () lists snort org>>
Reply-To: Meridoff <oagvozd () gmail com<mailto:oagvozd () gmail com>>
Date: Wednesday, April 27, 2022 at 6:58 AM
To: "snort-devel () lists snort org<mailto:snort-devel () lists snort org>" <snort-devel () lists snort 
org<mailto:snort-devel () lists snort org>>
Subject: [Snort-devel] snort3: appid can not detect ssh

Hello, I use snort3.1.20 and try to detect appid OpenSsh .
I've setup inspector ssh, binder, stream inspectors, and made ssh request through router srv1.
All appids are loaded in snort.

No ssh detected, In log I can see:

Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 New AppId session
Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 Published event for changes: 
created
Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 SSH event handler read SSH 
version string with vendor OpenSSH and version 8.3
Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 No service candidate, wait for 
snort service inspection
Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 SSH event handler read SSH 
version string with vendor OpenSSH and version 8.2p1
Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 SSH event handler received 
valid key exchange
Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg handle: serv.fin:1 cli.fin:0
Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 Packet out-of-order, not-ok 
flow
Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 stopped service/client 
discovery
Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3 22 6 AS=0 ID=0 Published event for changes: 
service


Line "handle: serv.fin:1 cli.fin:0" from log is my debug in void SshEventHandler::handle(DataEvent& event, Flow* flow) 
function before "if (data->service_info.finished and data->client_info.finished)" code line.

Is it bug or smth wrong with my setup?

Thanks
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Attachment: srv.conf
Description: srv.conf

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!