[Snort-openappid] Identifies HTTP, but not web app.

Adam Hogan (adhogan) adhogan at ...5...
Mon Mar 3 08:48:13 EST 2014


It was the checksums. I really should have known that!

Everything's running great now. Thanks Costas!

Hey, is there a story behind all the payload_group_*.lua files, why they're lumped into gwar or wut-tang? Just curious. :-)

------------------
Adam Hogan

On Mar 2, 2014, at 2:56 PM, Costas Kleopa (ckleopa) <ckleopa at ...5...<mailto:ckleopa at ...5...>> wrote:

OpenAppID enables all available applications by default. I would suggest looking into the following though:

  *   Make sure that the path in the app_detector_dir is the one that includes all the contents of the openappid-detectors package:
     *   snort-openappid-detectors.2014-02-22.187-0.tgz<http://www.snort.org/downloads/2836>
     *   The path of the app_detector_dir is the one that includes the odp/ folder included in the snort-openappid-detectors.2014-02-22.187-0.tgz<http://www.snort.org/downloads/2836> file.
  *   If you are running snort to monitor a specific interface, make sure that the interface that your browser is using to access cnn.com<http://cnn.com> is the same as the one snort is monitoring. If you are not sure, use tcpdump with the same interface as snort and then check the traffic to see if cnn.com<http://cnn.com> exists in that traffic.
  *   The traffic from snort by default verifies if the traffic has bad checksums and if that’s the case that traffic is getting ignored. You can try adding the argument “-k none” in snort not to ignore the bad checksums just in case this happens when you go to cnn.com<http://cnn.com>.

Hope this helps. Thanks.

Costas Kleopa

From: "Adam Hogan (adhogan)" <adhogan at ...5...<mailto:adhogan at ...5...>>
Date: Saturday, March 1, 2014 at 9:23 PM
To: "snort-openappid at lists.sourceforge.net<mailto:snort-openappid at ...7...rceforge.net>" <snort-openappid at lists.sourceforge.net<mailto:snort-openappid at lists.sourceforge.net>>
Subject: [Snort-openappid] Identifies HTTP, but not web app.

Hello,

When I use Open AppID and then use Firefox to go visit cnn.com<http://cnn.com/>, I don't get either firefox or cnn identified as an app. Instead I just get HTTP or HTTPS.

Here's the output from u2openappid:

statTime="1393724160",appName="https",txBytes="108",rxBytes="2964"
statTime="1393724220",appName="https",txBytes="0",rxBytes="4633"
statTime="1393724220",appName="mdns",txBytes="171",rxBytes="0"
statTime="1393724220",appName="http",txBytes="0",rxBytes="1404792"
statTime="1393724280",appName="http",txBytes="216",rxBytes="485469"
statTime="1393724280",appName="squid",txBytes="162",rxBytes="484448"
statTime="1393724280",appName="mdns",txBytes="194",rxBytes="0"
statTime="1393724340",appName="http",txBytes="54",rxBytes="723"
statTime="1393724340",appName="http",txBytes="270",rxBytes="289021"
statTime="1393724160",appName="https",txBytes="0",rxBytes="58506"
statTime="1393724220",appName="https",txBytes="0",rxBytes="4308"
statTime="1393724460",appName="dhcp",txBytes="342",rxBytes="0"
statTime="1393724580",appName="mdns",txBytes="107",rxBytes="0"
statTime="1393724640",appName="dhcp",txBytes="342",rxBytes="0"

How can I configure AppID to give me client and web-app applications?

Thanks,

------------------
Adam Hogan
Security Engineer; SFCE, SFCI
SOURCEfire, LLC.
adam.hogan at ...5...<mailto:ahogan at ...4...>
(C) 586.876.3980
(O) 614.717.9159

     ,,_
   o"   )~   Sourcefire - Now part of Cisco  . : | : . : | : .
      ''''



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20140303/f3bd8794/attachment.html>


More information about the Snort-openappid mailing list