[Snort-openappid] Snort and OpenAppID

Y M snort at ...46...
Fri Dec 4 05:52:38 EST 2015


While testing Snort with OpenAppID version 254, the following was observed in Snort output which was not available in previous versions of Snort.

Defaulting to monitoring all Snort traffic for AppID.
Adding 0x00000000-0xFFFFFFFF (0x00000038) with zone -1
Adding ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff (0x00000038) with zone -1


AppInfo: AppId 2683 is UNKNOWN
    3rd Party Dir: /usr/local/lib/thirdparty
    Monitoring Networks for any zone: 0038
        ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 0038
    Excluded TCP Ports for Src:
    Excluded TCP Ports for Dst:
    Excluded UDP Ports Src:
    Excluded UDP Ports Dst:
WARNING: Directory /usr/local/lib/thirdparty does not exist.

Based on the above output, I have some questions:

1. Where can the "zone" be configured, if even possible? Should the "zone" be tied to $HOME_NET?

2. Is the "custom" directory designation officially replaced with "thirdparty"?

3. Where can the ports exclusions be configured, if even possible?

Looking at the current available documentation I could not find references to the above items.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20151204/56b1a809/attachment.html>

More information about the Snort-openappid mailing list