Snort mailing list archives
snort3: problem with metadata: service http in sample.rules
From: Marcin Dulak <marcin.dulak () gmail com>
Date: Sat, 4 Mar 2017 23:09:03 +0100
Hi, this is a follow up to http://seclists.org/snort/2017/q1/593 Using --plugin-path /usr/lib64/snort_extra/codecs alone is not enough to get http traffic detected, if snort3 sample.rules are present. The service option present in metadata in https://github.com/snortadmin/snort3/blob/89bae69d5cd980ae56ef0322b6ef7cca87a75cf2/lua/sample.rules seems to cause http to be undetected. To reproduce the problem: # cat /etc/yum.repos.d/copr-marcindulak-snort.repo [copr-marcindulak-snort] name=copr-marcindulak-snort baseurl= https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/epel-$releasever-$basearch enabled=1 gpgcheck=1 gpgkey= https://copr-be.cloud.fedoraproject.org/results/marcindulak/snort/pubkey.gpg # yum -y install snort snort-extra # cp -f /etc/snort/sample.rules /etc/snort/rules/snort.rules # echo 'alert tcp any any -> any 80 (msg:"test"; flow:to_server,established; http_uri; content:"/test"; sid:3000001;)' >> /etc/snort/rules/snort.rules # SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua snort --daq-dir /usr/lib64/daq -c /etc/snort/snort.lua --plugin-path /usr/lib64/snort_extra/codecs -R /etc/snort/rules/snort.rules -r test.txt -A alert_fast -q # sed -i 's/service http//' /etc/snort/rules/snort.rules # sed -i 's/,,/,/' /etc/snort/rules/snort.rules # sed -i 's/:,/:/' /etc/snort/rules/snort.rules # SNORT_LUA_PATH=/etc/snort LUA_PATH=/usr/include/snort/lua/?.lua snort --daq-dir /usr/lib64/daq -c /etc/snort/snort.lua --plugin-path /usr/lib64/snort_extra/codecs -R /etc/snort/rules/snort.rules -r test.txt -A alert_fast -q 02/26-13:19:45.017007 [**] [1:3000001:0] "test" [**] [Priority: 0] {TCP} 192.168.17.20:34616 -> 192.168.17.30:80 By the way most snort3 rules are incompatible with snort2 ( https://github.com/snortadmin/snort3/blob/master/doc/differences.txt). I tried to use pulledpork's modifysig to convert community-rules.tar.gz into a snort3 format, but that's not a reliable way. How are you planning to transition into snort3 rules? By implementing snort3 rules support in snort2? I noticed also that some type of attachments are stripped when posting on snort-users. I'm attaching test.txt (pcap), but no guarantee it will be available on the list. Cheers, Marcin
Attachment:
test.txt
Description:
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort3: problem with metadata: service http in sample.rules Marcin Dulak (Mar 04)
- Re: snort3: problem with metadata: service http in sample.rules Al Lewis (allewi) (Mar 05)
- Re: snort3: problem with metadata: service http in sample.rules Russ (Mar 05)
- Re: snort3: problem with metadata: service http in sample.rules Marcin Dulak (Mar 05)