[Oisf-users] app-layer detection-port question

Anoop Saldanha anoopsaldanha at gmail.com
Fri Apr 1 05:41:32 UTC 2016


Hi Jason,

No, that won't help.  To detect it on non-standard ports, we will have
to put signatures inside the engine(if it already isn't enabled).

On Thu, Mar 31, 2016 at 9:04 PM, Jason Holmes <jholmes at psu.edu> wrote:
> Hi Victor,
>
> You say below that in some cases, there is only a probing parser.  Is that
> the case for SMB?  I want to try to detect SMB on non-standard ports, but I
> don't know if the following rule would be sufficient or if I would need to
> also change the app-layer detection ports (dp: option) for smb to something
> other than 139.
>
> alert tcp any any -> $HOME_NET !139 (msg:"LR SMB on non-standard port";
> flow:established,to_server; app-layer-protocol:smb; sid:800522; rev:1;)
>
> app-layer:
>   protocols:
>     smb:
>       enabled: yes
>       detection-ports:
>         dp: 139
>
>
> On 2/11/16 9:34 AM, Victor Julien wrote:
>>
>> On 10-02-16 23:28, Michał Purzyński wrote:
>>>
>>> Does that mean Suricata will first decide "hmmm... smells like HTTP" and
>>> the try to confirm the guess with a probing parser?
>>
>>
>> If the pattern based detection succeeds, the probing parser is not
>> called. In some cases (like DNS) we have only a probing parser.
>>
>>> Will the rule using the word http be allowed to match after the final
>>> protocol confirmation?
>>
>>
>> Yes.
>>
>>> I'd like t understand how the whole logic works. Pointers to code
>>> welcome.
>>
>>
>>
>> https://github.com/inliniac/suricata/blob/master/src/app-layer-detect-proto.c
>>
>> Cheers,
>> Victor
>>
>>>> On 10 Feb 2016, at 20:50, Victor Julien <lists at inliniac.net> wrote:
>>>>
>>>>> On 10-02-16 18:05, Jason Holmes wrote:
>>>>> Hi,
>>>>>
>>>>> I want to make sure I understand the effect of the 'detection-port'
>>>>> option in the app-layer config to rule matching.  If I have the
>>>>> following app-layer config:
>>>>>
>>>>> app-layer:
>>>>>   protocols:
>>>>>     tls:
>>>>>       enabled: yes
>>>>>       detection-ports:
>>>>>         dp: 443
>>>>>
>>>>> and I have a rule that starts with "alert tls":
>>>>>
>>>>>   alert tls $EXTERNAL_NET any -> $HOME_NET any
>>>>>
>>>>> does the rule only match on 443 because of the "dp: 443" option in the
>>>>> app-layer setting?
>>>>>
>>>>> If the tls config above omitted the detection-ports section, would the
>>>>> detection ports be all ports?
>>>>
>>>>
>>>> Protocol detection has 2 distinct steps.
>>>>
>>>> 1. a pattern based recognition. E.g. if a stream starts with GET|20|
>>>> it's very likely HTTP. If the server response then starts with HTTP/ we
>>>> can be sure about it.
>>>>
>>>> This runs on all ports.
>>>>
>>>> 2. a 'probing parser': this is a simplified parser that tries to
>>>> validate the protocol.
>>>>
>>>> This only runs on the port as configured in 'detection-ports'. This is
>>>> because it's expensive to run this logic.
>>>>
>>>> --
>>>> ---------------------------------------------
>>>> Victor Julien
>>>> http://www.inliniac.net/
>>>> PGP: http://www.inliniac.net/victorjulien.asc
>>>> ---------------------------------------------
>>>>
>>>> _______________________________________________
>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>> Site: http://suricata-ids.org | Support:
>>>> http://suricata-ids.org/support/
>>>> List:
>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>> Suricata User Conference November 9-11 in Washington, DC:
>>>> http://oisfevents.net
>>
>>
>>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net



-- 
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------


More information about the Oisf-users mailing list