[Snort-openappid] Snort 188.8.131.52 and OpenAppID
Mike Stepanek (mstepane)
mstepane at ...5...
Fri Dec 4 09:49:02 EST 2015
Let me start w/ #2 first. The whole "thirdparty" concept is something completely different than the odp (and custom) directory. That all stays the same. Third party refers to something that's still a little bit of a work in progress. The idea is that it would allow you to write your own shared object library (that can take advantage of any other library that you choose) to assist in the ID'ing of apps. In order to use it, you'd have to implement the API defined in thirdparty_appid_api.h. You can see some of the utilities in thirdparty_appid_utils.h/c that would do things like load the library.
With regards to #1 & #3, you can define an (optional) config file that AppID reads when it loads. In your snort.conf, for preprocessor appid, you'd specify the path using the "conf" option.
1) If you only want to monitor certain addresses, you can do something like this in your config file (defined above):
config AnalyzeApplication 192.168.0.0/24 -1
Note that the "-1" thing on the end is a "zone". Just use -1 there. "Zones" is a DAQ concept that none of the public Snort DAQs really support (the idea being that you can put an interface in a zone and use it as a shorthand). You don't really need it to use the networks-to-monitor feature. Note that you can specify multiple networks above.
3) You can exclude certain ports from detection as well. Here are some examples that you would add to you config file:
portexclusion dst tcp 22 192.168.0.0/24
portexclusion src udp 1234 192.168.0.0/24
Note that if not config file is specified, we just default to monitoring everything (as before). Also note the following convention for "all":
Hope that sheds some light on the questions.
- Mike Stepanek
mstepane at ...5...
From: Y M [mailto:snort at ...46...]
Sent: Friday, December 04, 2015 5:53 AM
To: snort-openappid <snort-openappid at lists.sourceforge.net>
Subject: [Snort-openappid] Snort 184.108.40.206 and OpenAppID
While testing Snort 220.127.116.11 with OpenAppID version 254, the following was observed in Snort output which was not available in previous versions of Snort.
Defaulting to monitoring all Snort traffic for AppID.
Adding 0x00000000-0xFFFFFFFF (0x00000038) with zone -1
Adding ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff (0x00000038) with zone -1
AppInfo: AppId 2683 is UNKNOWN
3rd Party Dir: /usr/local/lib/thirdparty
Monitoring Networks for any zone:
Excluded TCP Ports for Src:
Excluded TCP Ports for Dst:
Excluded UDP Ports Src:
Excluded UDP Ports Dst:
WARNING: Directory /usr/local/lib/thirdparty does not exist.
Based on the above output, I have some questions:
1. Where can the "zone" be configured, if even possible? Should the "zone" be tied to $HOME_NET?
2. Is the "custom" directory designation officially replaced with "thirdparty"?
3. Where can the ports exclusions be configured, if even possible?
Looking at the current available documentation I could not find references to the above items.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-openappid