[Snort-openappid] Identifies HTTP, but not web app.

Costas Kleopa (ckleopa) ckleopa at ...5...
Sun Mar 2 14:56:28 EST 2014


OpenAppID enables all available applications by default. I would suggest looking into the following though:

  *   Make sure that the path in the app_detector_dir is the one that includes all the contents of the openappid-detectors package:
     *   snort-openappid-detectors.2014-02-22.187-0.tgz<http://www.snort.org/downloads/2836>
     *   The path of the app_detector_dir is the one that includes the odp/ folder included in the snort-openappid-detectors.2014-02-22.187-0.tgz<http://www.snort.org/downloads/2836> file.
  *   If you are running snort to monitor a specific interface, make sure that the interface that your browser is using to access cnn.com is the same as the one snort is monitoring. If you are not sure, use tcpdump with the same interface as snort and then check the traffic to see if cnn.com exists in that traffic.
  *   The traffic from snort by default verifies if the traffic has bad checksums and if that’s the case that traffic is getting ignored. You can try adding the argument “-k none” in snort not to ignore the bad checksums just in case this happens when you go to cnn.com.

Hope this helps. Thanks.

Costas Kleopa

From: "Adam Hogan (adhogan)" <adhogan at ...5...<mailto:adhogan at ...5...>>
Date: Saturday, March 1, 2014 at 9:23 PM
To: "snort-openappid at lists.sourceforge.net<mailto:snort-openappid at ...7...rceforge.net>" <snort-openappid at lists.sourceforge.net<mailto:snort-openappid at lists.sourceforge.net>>
Subject: [Snort-openappid] Identifies HTTP, but not web app.

Hello,

When I use Open AppID and then use Firefox to go visit cnn.com<http://cnn.com>, I don't get either firefox or cnn identified as an app. Instead I just get HTTP or HTTPS.

Here's the output from u2openappid:

statTime="1393724160",appName="https",txBytes="108",rxBytes="2964"
statTime="1393724220",appName="https",txBytes="0",rxBytes="4633"
statTime="1393724220",appName="mdns",txBytes="171",rxBytes="0"
statTime="1393724220",appName="http",txBytes="0",rxBytes="1404792"
statTime="1393724280",appName="http",txBytes="216",rxBytes="485469"
statTime="1393724280",appName="squid",txBytes="162",rxBytes="484448"
statTime="1393724280",appName="mdns",txBytes="194",rxBytes="0"
statTime="1393724340",appName="http",txBytes="54",rxBytes="723"
statTime="1393724340",appName="http",txBytes="270",rxBytes="289021"
statTime="1393724160",appName="https",txBytes="0",rxBytes="58506"
statTime="1393724220",appName="https",txBytes="0",rxBytes="4308"
statTime="1393724460",appName="dhcp",txBytes="342",rxBytes="0"
statTime="1393724580",appName="mdns",txBytes="107",rxBytes="0"
statTime="1393724640",appName="dhcp",txBytes="342",rxBytes="0"

How can I configure AppID to give me client and web-app applications?

Thanks,

------------------
Adam Hogan
Security Engineer; SFCE, SFCI
SOURCEfire, LLC.
adam.hogan at ...5...<mailto:ahogan at ...4...>
(C) 586.876.3980
(O) 614.717.9159

     ,,_
   o"   )~   Sourcefire - Now part of Cisco  . : | : . : | : .
      ''''


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20140302/bdff94cd/attachment.html>


More information about the Snort-openappid mailing list