[Snort-openappid] Snort and OpenAppID

Mike Stepanek (mstepane) mstepane at ...5...
Fri Dec 4 09:49:02 EST 2015

YM -

Let me start w/ #2 first.  The whole "thirdparty" concept is something completely different than the odp (and custom) directory.  That all stays the same.  Third party refers to something that's still a little bit of a work in progress.  The idea is that it would allow you to write your own shared object library (that can take advantage of any other library that you choose) to assist in the ID'ing of apps.  In order to use it, you'd have to implement the API defined in thirdparty_appid_api.h.  You can see some of the utilities in thirdparty_appid_utils.h/c that would do things like load the library.

With regards to #1 & #3, you can define an (optional) config file that AppID reads when it loads.  In your snort.conf, for preprocessor appid, you'd specify the path using the "conf" option.

1) If you only want to monitor certain addresses, you can do something like this in your config file (defined above):

config AnalyzeApplication -1

Note that the "-1" thing on the end is a "zone".  Just use -1 there.  "Zones" is a DAQ concept that none of the public Snort DAQs really support (the idea being that you can put an interface in a zone and use it as a shorthand).  You don't really need it to use the networks-to-monitor feature.  Note that you can specify multiple networks above.

3) You can exclude certain ports from detection as well.  Here are some examples that you would add to you config file:

portexclusion dst tcp 22
portexclusion src udp 1234

Note that if not config file is specified, we just default to monitoring everything (as before).  Also note the following convention for "all":

Hope that sheds some light on the questions.

- Mike Stepanek
   mstepane at ...5...

From: Y M [mailto:snort at ...46...]
Sent: Friday, December 04, 2015 5:53 AM
To: snort-openappid <snort-openappid at lists.sourceforge.net>
Subject: [Snort-openappid] Snort and OpenAppID


While testing Snort with OpenAppID version 254, the following was observed in Snort output which was not available in previous versions of Snort.

Defaulting to monitoring all Snort traffic for AppID.
Adding 0x00000000-0xFFFFFFFF (0x00000038) with zone -1
Adding ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff (0x00000038) with zone -1


AppInfo: AppId 2683 is UNKNOWN
    3rd Party Dir: /usr/local/lib/thirdparty
    Monitoring Networks for any zone: 0038
        ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 0038
    Excluded TCP Ports for Src:
    Excluded TCP Ports for Dst:
    Excluded UDP Ports Src:
    Excluded UDP Ports Dst:
WARNING: Directory /usr/local/lib/thirdparty does not exist.

Based on the above output, I have some questions:

1. Where can the "zone" be configured, if even possible? Should the "zone" be tied to $HOME_NET?

2. Is the "custom" directory designation officially replaced with "thirdparty"?

3. Where can the ports exclusions be configured, if even possible?

Looking at the current available documentation I could not find references to the above items.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20151204/2ba545bb/attachment.html>

More information about the Snort-openappid mailing list