[Oisf-users] Problems with MSN parser

Konstantin Klinger konstantin.klinger at dcso.de
Wed Oct 2 06:25:36 UTC 2019


Hi colleagues,

I try to get an alert for the MSN parser/protocol with the following rule:

	alert msn any any -> any any (msg:"FOO MSN"; sid:107;)

I have enabled the MSN protocol parser in the yaml the following:

    msn:
      enabled: yes

I start Suricata with the following line against a Wireshark pcap with
sample MSN traffic (https://wiki.wireshark.org/MSNMS):

	suricata -r /pcaps/msnms.pcap -c /configs/suricata.yaml -l /logs/ -k none

I've tested it with Suricata 4.1.4 and 5.0 without getting an alert for
the MSN rule, but I get an alert for a ET OPEN GPL rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"GPL CHAT MSN user
search"; flow:to_server,established; content:"CAL "; depth:4; nocase;
classtype:policy-violation; sid:2101990; rev:2; metadata:created_at
2010_09_23, updated_at 2010_09_23;)

There is no "app_proto" field in my eve.json. So my guess is that the
MSN protocol parser does not detect the pcap traffic as MSN. Have I done
something wrong with the configuration? Has anyone managed it to get an
alert for the MSN protocol? I have attached my resulting eve.json and my
suricata.yaml to this email.

I would be really gratefull if you could help me or give me a hint in
the right direction.

Thanks & best regards

Konstantin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricata.yaml
Type: application/x-yaml
Size: 73416 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191002/78587706/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eve.json
Type: application/json
Size: 147110 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191002/78587706/attachment-0001.json>


More information about the Oisf-users mailing list