MSN protocol detection/parser is not working
From mailing list:
I try to get an alert for the MSN parser/protocol with the following rule:
alert msn any any -> any any (msg:"FOO MSN"; sid:107;)
I have enabled the MSN protocol parser in the yaml the following:
I start Suricata with the following line against a Wireshark pcap with
sample MSN traffic (https://wiki.wireshark.org/MSNMS):
suricata -r /pcaps/msnms.pcap -c /configs/suricata.yaml -l /logs/ -k none
I've tested it with Suricata 4.1.4 and 5.0 without getting an alert for
the MSN rule, but I get an alert for a ET OPEN GPL rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"GPL CHAT MSN user
search"; flow:to_server,established; content:"CAL "; depth:4; nocase;
classtype:policy-violation; sid:2101990; rev:2; metadata:created_at
2010_09_23, updated_at 2010_09_23;)
There is no "app_proto" field in my eve.json. So my guess is that the
MSN protocol parser does not detect the pcap traffic as MSN. Have I done
something wrong with the configuration? Has anyone managed it to get an
alert for the MSN protocol? I have attached my resulting eve.json and my
suricata.yaml to this email.
I would be really gratefull if you could help me or give me a hint in
the right direction.
Thanks & best regards
Sadly, there is no MSN parser. There is just a bit super simple and
likely inadequate protocol detection happening. So I wouldn't rely on this.
From IRC channel:
14:58 < konstantin> Hi, I've asked a question lately on the mailing list about the MSN protocol parser. Has anyone experience with it and used it and tested it?
14:58 < konstantin> (independent of the Suricata version)
14:58 < konstantin> I would like to get an eve.json example of an alert/event that has MSN data in it and where app_proto is MSN.
15:06 < jtaylor90> konstantin: we don't use it, I was curious after you emailed the other day though
15:07 < jtaylor90> I ended up with the same results as you did. I was unable to find the parser code, it makes me wonder if it's just protocol detection
15:07 < jtaylor90> but even that didn't seem to work like we were thinking
15:07 < jtaylor90> was going to poke at it some more but haven't had a chance
15:08 < VictorJ> konstantin, just replied.
15:09 < VictorJ> jtaylor90, exactly right. And the protocol detection is likely broken too
15:16 < konstantin> VictorJ Thank you. We are working on the eve json documentation and couldn't get any MSN metadata / alerts out f msn example pcaps.
15:17 < konstantin> I will do some further testing with the protocol detection and then create a pull request for the suricata.yaml.in and/or create a bug request, so that the behaviour is at least documented.
15:18 < VictorJ> It should probably just remove the whole thing :)