[Snort-openappid] Custom app detector

Costas Kleopa (ckleopa) ckleopa at ...5...
Sun Jun 8 00:54:29 EDT 2014


The custom detector would need to be in the base folder where the rest of the application detectors have been installed. For example if you have installed the detectors under /usr/local/applications/
All our product detectors would be included in the /usr/local/applications/odp

All the custom detectors would need to be under the
/usr/local/applications/custom/lua folder.

>From the example above, make sure that your application folder in the snort.conf is properly configured to load the detectors from /usr/local/applications/

We have an upcoming blog talking about how to create a custom detector along which should also give  some more information about the overall custom detector creating process.

Thanks,
Costas

On Jun 8, 2014, at 12:04 AM, "Adam Hogan (adhogan)" <adhogan at ...5...<mailto:adhogan at ...5...>> wrote:

Hello,

How do I get snort to read in a custom app detector? I've placed the lua script in the custom subdirectory. When I start snort the only indication I get that the custom directory is read is this line:

Could not read configuration file /usr/local/snort/appid/custom/userappid.conf

What should go into userappid.conf?

Thanks,

------------------
Adam Hogan
Security Engineer; SFCE, SFCI
SOURCEfire, LLC.
adam.hogan at ...5...<mailto:ahogan at ...4...>
(C) 586.876.3980
(O) 614.659.1307

     ,,_
   o"   )~   Sourcefire - Now part of Cisco  . : | : . : | : .
      ''''

!! Please note that my email address and office phone number have changed. Because Cisco.

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net<mailto:Snort-openappid at ...12...rge.net>
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20140608/716e72af/attachment.html>


More information about the Snort-openappid mailing list