[Oisf-users] app-layer detection-port question

Jason Holmes jholmes at psu.edu
Thu Mar 31 15:34:49 UTC 2016


Hi Victor,

You say below that in some cases, there is only a probing parser.  Is 
that the case for SMB?  I want to try to detect SMB on non-standard 
ports, but I don't know if the following rule would be sufficient or if 
I would need to also change the app-layer detection ports (dp: option) 
for smb to something other than 139.

alert tcp any any -> $HOME_NET !139 (msg:"LR SMB on non-standard port"; 
flow:established,to_server; app-layer-protocol:smb; sid:800522; rev:1;)

app-layer:
   protocols:
     smb:
       enabled: yes
       detection-ports:
         dp: 139

Thanks,

--
Jason Holmes

On 2/11/16 9:34 AM, Victor Julien wrote:
> On 10-02-16 23:28, Michał Purzyński wrote:
>> Does that mean Suricata will first decide "hmmm... smells like HTTP" and the try to confirm the guess with a probing parser?
>
> If the pattern based detection succeeds, the probing parser is not
> called. In some cases (like DNS) we have only a probing parser.
>
>> Will the rule using the word http be allowed to match after the final protocol confirmation?
>
> Yes.
>
>> I'd like t understand how the whole logic works. Pointers to code welcome.
>
> https://github.com/inliniac/suricata/blob/master/src/app-layer-detect-proto.c
>
> Cheers,
> Victor
>
>>> On 10 Feb 2016, at 20:50, Victor Julien <lists at inliniac.net> wrote:
>>>
>>>> On 10-02-16 18:05, Jason Holmes wrote:
>>>> Hi,
>>>>
>>>> I want to make sure I understand the effect of the 'detection-port'
>>>> option in the app-layer config to rule matching.  If I have the
>>>> following app-layer config:
>>>>
>>>> app-layer:
>>>>   protocols:
>>>>     tls:
>>>>       enabled: yes
>>>>       detection-ports:
>>>>         dp: 443
>>>>
>>>> and I have a rule that starts with "alert tls":
>>>>
>>>>   alert tls $EXTERNAL_NET any -> $HOME_NET any
>>>>
>>>> does the rule only match on 443 because of the "dp: 443" option in the
>>>> app-layer setting?
>>>>
>>>> If the tls config above omitted the detection-ports section, would the
>>>> detection ports be all ports?
>>>
>>> Protocol detection has 2 distinct steps.
>>>
>>> 1. a pattern based recognition. E.g. if a stream starts with GET|20|
>>> it's very likely HTTP. If the server response then starts with HTTP/ we
>>> can be sure about it.
>>>
>>> This runs on all ports.
>>>
>>> 2. a 'probing parser': this is a simplified parser that tries to
>>> validate the protocol.
>>>
>>> This only runs on the port as configured in 'detection-ports'. This is
>>> because it's expensive to run this logic.
>>>
>>> --
>>> ---------------------------------------------
>>> Victor Julien
>>> http://www.inliniac.net/
>>> PGP: http://www.inliniac.net/victorjulien.asc
>>> ---------------------------------------------
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
>
>



More information about the Oisf-users mailing list