Snort mailing list archives

snort3: appid can not detect ssh

From: Meridoff via Snort-devel <snort-devel () lists snort org>
Date: Wed, 27 Apr 2022 13:57:03 +0300

Hello, I use snort3.1.20 and try to detect appid OpenSsh .
I've setup inspector ssh, binder, stream inspectors, and made ssh request
through router srv1.
All appids are loaded in snort.

No ssh detected, In log I can see:

Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3
22 6 AS=0 ID=0 New AppId session
Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3
22 6 AS=0 ID=0 Published event for changes: created
Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3
22 6 AS=0 ID=0 SSH event handler read SSH version string with vendor
OpenSSH and version 8.3
Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3
22 6 AS=0 ID=0 No service candidate, wait for snort service inspection
Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3
22 6 AS=0 ID=0 SSH event handler read SSH version string with vendor
OpenSSH and version 8.2p1
Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3
22 6 AS=0 ID=0 SSH event handler received valid key exchange
Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg handle: serv.fin:1 cli.fin:0
Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3
22 6 AS=0 ID=0 Packet out-of-order, not-ok flow
Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3
22 6 AS=0 ID=0 stopped service/client discovery
Mar 18 05:33:07 srv1 snort[1742]: AppIdDbg 10.30.1.2 53008 -> 192.168.1.3
22 6 AS=0 ID=0 Published event for changes: service


Line* "handle: serv.fin:1 cli.fin:0"* from log is my debug in void
*SshEventHandler::handle(DataEvent&
event, Flow* flow*) function before *"if (data->service_info.finished and
data->client_info.finished)"* code line.

Is it bug or smth wrong with my setup?

Thanks

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

snort3: appid can not detect ssh Meridoff via Snort-devel (Apr 27)
- Re: snort3: appid can not detect ssh Al Lewis (allewi) via Snort-devel (Apr 27)
  - Re: snort3: appid can not detect ssh Meridoff via Snort-devel (Apr 27)
- <Possible follow-ups>
- snort3: appid can not detect ssh Costas Kleopa (ckleopa) via Snort-devel (Apr 28)