Snort mailing list archives
Re: Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases
From: Özkan KIRIK via Snort-devel <snort-devel () lists snort org>
Date: Fri, 4 Sep 2020 07:19:00 +0300
I'm still trying different versions to find where the bug exists. - snort3.0.1.5 - detection and block action works properly - snort3.0.2.1 - only sid 9000003 matches and blocking traffic. appid doesnt match any traffic. There is something wrong about appid detection with snort3 build >= 3.0.2.1 All the builds after 3.0.2.* have this issue. I wrote that appid_stats have lines about wetransfer but after kill & restart snort3, I couldn't reproduce wetransfer detection. tests are run with a freebsd+snort3 gateway and 1 windows client only. - snort3.0.2.1 - appid_stats.log with similar traffic # cat appid_stats.log 1599192367,DNS,3032,5497 1599192367,HTTPS,144450,2774175 1599192367,MDNS,3650,0 1599192367,ICMP,395,0 1599192367,DNS over HTTPS,5736,18574 1599192367,__unknown,25577,767 - snort3.0.1.5 - appid_stats.log with similar traffic # cat appid_stats.log 1599192609,Google,22731,201644 1599192609,Chrome,574,257 1599192609,HTTP,574,257 1599192609,NetBIOS-ns,3036,0 1599192609,HTTPS,37943,262317 1599192609,SSL client,29790,246317 1599192609,MDNS,3204,0 1599192609,WeTransfer,4886,39253 1599192609,Google Sign in,2173,5420 1599192609,DNS over HTTPS,6224,16712 1599192609,__unknown,2724,4220 On Fri, Sep 4, 2020 at 6:57 AM Özkan KIRIK <ozkan.kirik () gmail com> wrote:
In addition to v3.0.2.5, appid_stats contains lines about wetransfer, facebook etc. But alert_json log don't have. I think there is a bug about rule matching for appids # grep -i wetransfer appid_stats.log 1599189911,WeTransfer,6560,3184 1599190202,WeTransfer,1951,1161 1599190803,WeTransfer,2086,6678 1599191404,WeTransfer,2086,6761 # grep -i wetransfer alert_json.txt # On Fri, Sep 4, 2020 at 6:38 AM Özkan KIRIK <ozkan.kirik () gmail com> wrote:Hello, I am using FreeBSD stable/12 branch using netmap daq configuration. snort3 is configured in inline mode with simple ruleset as below: block ip any any -> any any ( msg: "block facebook"; appids:"facebook"; sid:9000000; ) block ip any any -> any any ( msg: "block wetransfer "; appids:"wetransfer"; sid:9000001; ) block ip any any -> any any ( msg: "block youtube"; appids:"youtube"; sid:9000002; ) block icmp any any -> any any ( msg: "icmp inline test"; sid:9000003; ) After upgrading from 3.0.1 to 3.0.2 appid detection not working. same configuration with: - snort3.0.1.2 - detection and block action works properly - snort3.0.1.4 - detection and block action works properly - snort3.0.2.4 - only sid 9000003 matches and blocking traffic. appid doesnt match any traffic. - snort3.0.2.5 - only sid 9000003 matches and blocking traffic. appid doesnt match any traffic. appid = { app_detector_dir = '/usr/local/etc/snort' } rate_filter = { } stream = { } stream_ip = { } stream_icmp = { } stream_tcp = { } stream_udp = { } arp_spoof = { } back_orifice = { } dnp3 = { } dns = { } http_inspect = { } http2_inspect = { } imap = { } modbus = { } normalizer = { tcp = { ips = true } } pop = { } rpc_decode = { } sip = { } ssh = { } ssl = { } telnet = { } dce_smb = { } dce_tcp = { } dce_udp = { } dce_http_proxy = { } dce_http_server = { } In snort 3.0.2* do we need to change any configuration? Regards Özkan
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases Özkan KIRIK via Snort-devel (Sep 03)
- Re: Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases Özkan KIRIK via Snort-devel (Sep 03)
- Re: Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases Özkan KIRIK via Snort-devel (Sep 03)
- Re: Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases Shravan Rangarajuvenkata (shrarang) via Snort-devel (Sep 04)
- Re: Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases Özkan KIRIK via Snort-devel (Sep 05)
- Re: Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases Özkan KIRIK via Snort-devel (Sep 14)
- Re: Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases Shravan Rangarajuvenkata (shrarang) via Snort-devel (Sep 23)
- Re: Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases Özkan KIRIK via Snort-devel (Sep 03)
- Re: Snort3 Appid detection problem between 3.0.1 - 3.0.2 releases Özkan KIRIK via Snort-devel (Sep 03)