[Oisf-users] Problems with MSN parser
Victor Julien
lists at inliniac.net
Fri Oct 4 13:08:28 UTC 2019
Hi Konstantin,
On 02-10-19 08:25, Konstantin Klinger wrote:
> I try to get an alert for the MSN parser/protocol with the following rule:
>
> alert msn any any -> any any (msg:"FOO MSN"; sid:107;)
>
> I have enabled the MSN protocol parser in the yaml the following:
>
> msn:
> enabled: yes
>
> I start Suricata with the following line against a Wireshark pcap with
> sample MSN traffic (https://wiki.wireshark.org/MSNMS):
>
> suricata -r /pcaps/msnms.pcap -c /configs/suricata.yaml -l /logs/ -k none
>
> I've tested it with Suricata 4.1.4 and 5.0 without getting an alert for
> the MSN rule, but I get an alert for a ET OPEN GPL rule:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"GPL CHAT MSN user
> search"; flow:to_server,established; content:"CAL "; depth:4; nocase;
> classtype:policy-violation; sid:2101990; rev:2; metadata:created_at
> 2010_09_23, updated_at 2010_09_23;)
>
> There is no "app_proto" field in my eve.json. So my guess is that the
> MSN protocol parser does not detect the pcap traffic as MSN. Have I done
> something wrong with the configuration? Has anyone managed it to get an
> alert for the MSN protocol? I have attached my resulting eve.json and my
> suricata.yaml to this email.
>
> I would be really gratefull if you could help me or give me a hint in
> the right direction.
Sadly, there is no MSN parser. There is just a bit super simple and
likely inadequate protocol detection happening. So I wouldn't rely on this.
Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list