[prev in list] [next in list] [prev in thread] [next in thread]
List: oisf-users
Subject: Re: [Oisf-users] app-layer detection-port question
From: Jason Holmes <jholmes () psu ! edu>
Date: 2016-03-31 15:34:49
Message-ID: 56FD4399.8050606 () psu ! edu
[Download RAW message or body]
Hi Victor,
You say below that in some cases, there is only a probing parser. Is
that the case for SMB? I want to try to detect SMB on non-standard
ports, but I don't know if the following rule would be sufficient or if
I would need to also change the app-layer detection ports (dp: option)
for smb to something other than 139.
alert tcp any any -> $HOME_NET !139 (msg:"LR SMB on non-standard port";
flow:established,to_server; app-layer-protocol:smb; sid:800522; rev:1;)
app-layer:
protocols:
smb:
enabled: yes
detection-ports:
dp: 139
Thanks,
--
Jason Holmes
On 2/11/16 9:34 AM, Victor Julien wrote:
> On 10-02-16 23:28, Michał Purzyński wrote:
> > Does that mean Suricata will first decide "hmmm... smells like HTTP" and the try \
> > to confirm the guess with a probing parser?
>
> If the pattern based detection succeeds, the probing parser is not
> called. In some cases (like DNS) we have only a probing parser.
>
> > Will the rule using the word http be allowed to match after the final protocol \
> > confirmation?
>
> Yes.
>
> > I'd like t understand how the whole logic works. Pointers to code welcome.
>
> https://github.com/inliniac/suricata/blob/master/src/app-layer-detect-proto.c
>
> Cheers,
> Victor
>
> > > On 10 Feb 2016, at 20:50, Victor Julien <lists@inliniac.net> wrote:
> > >
> > > > On 10-02-16 18:05, Jason Holmes wrote:
> > > > Hi,
> > > >
> > > > I want to make sure I understand the effect of the 'detection-port'
> > > > option in the app-layer config to rule matching. If I have the
> > > > following app-layer config:
> > > >
> > > > app-layer:
> > > > protocols:
> > > > tls:
> > > > enabled: yes
> > > > detection-ports:
> > > > dp: 443
> > > >
> > > > and I have a rule that starts with "alert tls":
> > > >
> > > > alert tls $EXTERNAL_NET any -> $HOME_NET any
> > > >
> > > > does the rule only match on 443 because of the "dp: 443" option in the
> > > > app-layer setting?
> > > >
> > > > If the tls config above omitted the detection-ports section, would the
> > > > detection ports be all ports?
> > >
> > > Protocol detection has 2 distinct steps.
> > >
> > > 1. a pattern based recognition. E.g. if a stream starts with GET|20|
> > > it's very likely HTTP. If the server response then starts with HTTP/ we
> > > can be sure about it.
> > >
> > > This runs on all ports.
> > >
> > > 2. a 'probing parser': this is a simplified parser that tries to
> > > validate the protocol.
> > >
> > > This only runs on the port as configured in 'detection-ports'. This is
> > > because it's expensive to run this logic.
> > >
> > > --
> > > ---------------------------------------------
> > > Victor Julien
> > > http://www.inliniac.net/
> > > PGP: http://www.inliniac.net/victorjulien.asc
> > > ---------------------------------------------
> > >
> > > _______________________________________________
> > > Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
> > > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > > Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
>
>
_______________________________________________
Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic