Snort - OpenAppID negation
-
Hi there,
I am currently trying to alert on non-HTTP traffic on port 80 using Snort. I thought this might be as easy as setting up a rule like this:
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Non-HTTP traffic on HTTP port"; appid: !http; sid:4242001;)
Obviosuly, I excpected that using !http for the appid will generate an alert when OpenAppID detects an application which is different from HTTP. However, this is not the case, as Snort does not generate an alert when I am sending e. g. FTP traffic via port 80. Is it not possible to use the negation operation for the appid option?
Best regards
-
@minilulatsch Tried the ET-Policy rule set, I vaguely rember having to disable one of their policies for my work VM.
Scrub that it was ET POLICY HTTP traffic on port 443 that I had to disable.
-
@minilulatsch said in Snort - OpenAppID negation:
Hi there,
I am currently trying to alert on non-HTTP traffic on port 80 using Snort. I thought this might be as easy as setting up a rule like this:
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Non-HTTP traffic on HTTP port"; appid: !http; sid:4242001;)
Obviosuly, I excpected that using !http for the appid will generate an alert when OpenAppID detects an application which is different from HTTP. However, this is not the case, as Snort does not generate an alert when I am sending e. g. FTP traffic via port 80. Is it not possible to use the negation operation for the appid option?
Best regards
No, I don't think that is acceptable syntax. To be honest, the documentation from Snort about
appid:
syntax is not too detailed.Here is some stuff I found:
OpenAppID Webinar Slides
Snort Blog Post - OpenAppID Application Rules
Snort OpenAppID Mailing List
Cisco Application Detectors Web Site -
Thanks for your responses. I played a little more with the application detection via OpenAppID and noticed some weird behavior. I have the following rule in place, which simply detects HTTP traffic on port 80:
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"http on http port"; appid:http; sid:4242001; )
This works as execpted an generates alerts, when HTTP traffic is sent to some external server on port 80. However, if I change the rule to detect HTTP traffic on e. g. port 22, it doesn't work:
alert tcp $HOME_NET any -> $EXTERNAL_NET 22 (msg:"http on ssh port"; appid:http; sid:4242002; )
When I now sent HTTP reqeusts to a webserver listening on port 22 (on an external server), no alerts are generated. That's not how it should be, is it?
-
@minilulatsch I found the answer to this myself, I thought that Snort investigates all traffic and tries to detect HTTP via OpenAppID. However, this is not the case, Snort only investigates for HTTP traffic on the ports which are defined in $HTTP_PORTS. Port 22 is not contained in $HTTP_PORTS, therefore HTTP traffic on this port is not detected.
-
@minilulatsch said in Snort - OpenAppID negation:
@minilulatsch I found the answer to this myself, I thought that Snort investigates all traffic and tries to detect HTTP via OpenAppID. However, this is not the case, Snort only investigates for HTTP traffic on the ports which are defined in $HTTP_PORTS. Port 22 is not contained in $HTTP_PORTS, therefore HTTP traffic on this port is not detected.
Yep! But you can edit the values used in those variables on the VARIABLES tab when editing a specific interface. So you could add your own custom ports to the $HTTP_PORTS variable, including aliases.
-
@bmeeks Yep, did that, my idea was to simply set $HTTP_PORTS to the port range 1-65535 so that all traffic is inspected (no idea how bad this would be for performance, it was just for testing). However, it's not that easy. The ports in this variable are written to snort.conf, which can't hold more than 32000 characters in one line, which is way less than needed for all 65535 ports. That means, if you do what I did and set $HTTP_PORTS to 1-65535, Snort will not be able to start on the corresponding interface as the config file cannot be loaded.
-
@minilulatsch said in Snort - OpenAppID negation:
@bmeeks Yep, did that, my idea was to simply set $HTTP_PORTS to the port range 1-65535 so that all traffic is inspected (no idea how bad this would be for performance, it was just for testing). However, it's not that easy. The ports in this variable are written to snort.conf, which can't hold more than 32000 characters in one line, which is way less than needed for all 65535 ports. That means, if you do what I did and set $HTTP_PORTS to 1-65535, Snort will not be able to start on the corresponding interface as the config file cannot be loaded.
There are limits on the size of things, so you need to more carefully analyze what you actually want to look for and then modify the variables appropriately. Looking for HTTP traffic on every conceivable port is not really realistic in my view.