Project

General

Profile

Actions

Bug #3216

closed

MSN protocol detection/parser is not working

Added by Konstantin Klinger almost 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
low
Difficulty:
low
Label:

Description

From mailing list:

Hi colleagues,

I try to get an alert for the MSN parser/protocol with the following rule:

alert msn any any -> any any (msg:"FOO MSN"; sid:107;)

I have enabled the MSN protocol parser in the yaml the following:

msn:
enabled: yes

I start Suricata with the following line against a Wireshark pcap with
sample MSN traffic (https://wiki.wireshark.org/MSNMS):

suricata -r /pcaps/msnms.pcap -c /configs/suricata.yaml -l /logs/ -k none

I've tested it with Suricata 4.1.4 and 5.0 without getting an alert for
the MSN rule, but I get an alert for a ET OPEN GPL rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"GPL CHAT MSN user
search"; flow:to_server,established; content:"CAL "; depth:4; nocase;
classtype:policy-violation; sid:2101990; rev:2; metadata:created_at
2010_09_23, updated_at 2010_09_23;)

There is no "app_proto" field in my eve.json. So my guess is that the
MSN protocol parser does not detect the pcap traffic as MSN. Have I done
something wrong with the configuration? Has anyone managed it to get an
alert for the MSN protocol? I have attached my resulting eve.json and my
suricata.yaml to this email.

I would be really gratefull if you could help me or give me a hint in
the right direction.

Thanks & best regards

Konstantin

-----
Hi Konstantin,

Sadly, there is no MSN parser. There is just a bit super simple and
likely inadequate protocol detection happening. So I wouldn't rely on this.

Cheers,
Victor

From IRC channel:

14:58 < konstantin> Hi, I've asked a question lately on the mailing list about the MSN protocol parser. Has anyone experience with it and used it and tested it?
14:58 < konstantin> (independent of the Suricata version)
14:58 < konstantin> I would like to get an eve.json example of an alert/event that has MSN data in it and where app_proto is MSN.
15:06 < jtaylor90> konstantin: we don't use it, I was curious after you emailed the other day though
15:07 < jtaylor90> I ended up with the same results as you did. I was unable to find the parser code, it makes me wonder if it's just protocol detection
15:07 < jtaylor90> but even that didn't seem to work like we were thinking
15:07 < jtaylor90> was going to poke at it some more but haven't had a chance
15:08 < VictorJ> konstantin, just replied.
15:09 < VictorJ> jtaylor90, exactly right. And the protocol detection is likely broken too
15:16 < konstantin> VictorJ Thank you. We are working on the eve json documentation and couldn't get any MSN metadata / alerts out f msn example pcaps.
15:17 < konstantin> I will do some further testing with the protocol detection and then create a pull request for the suricata.yaml.in and/or create a bug request, so that the behaviour is at least documented.
15:18 < VictorJ> It should probably just remove the whole thing :)


Files

suricata.yaml (71.7 KB) suricata.yaml tested yaml Konstantin Klinger, 10/04/2019 01:50 PM
eve.json (144 KB) eve.json output from msnms.pcap Konstantin Klinger, 10/04/2019 01:50 PM
msnms.pcap (60.9 KB) msnms.pcap tested pcap Konstantin Klinger, 10/04/2019 01:51 PM
Actions

Also available in: Atom PDF