[Snort-openappid] Snort 2.9.8.0 and OpenAppID

Y M snort at ...46...
Fri Dec 4 09:58:51 EST 2015


Mike,

Thank you for the detailed explanation. That answers all of my questions and more. Appreciate it.

YM



On Fri, Dec 4, 2015 at 6:49 AM -0800, "Mike Stepanek (mstepane)" <mstepane at ...5...<mailto:mstepane at ...5...>> wrote:

YM -

Let me start w/ #2 first.  The whole "thirdparty" concept is something completely different than the odp (and custom) directory.  That all stays the same.  Third party refers to something that's still a little bit of a work in progress.  The idea is that it would allow you to write your own shared object library (that can take advantage of any other library that you choose) to assist in the ID'ing of apps.  In order to use it, you'd have to implement the API defined in thirdparty_appid_api.h.  You can see some of the utilities in thirdparty_appid_utils.h/c that would do things like load the library.

With regards to #1 & #3, you can define an (optional) config file that AppID reads when it loads.  In your snort.conf, for preprocessor appid, you'd specify the path using the "conf" option.

1) If you only want to monitor certain addresses, you can do something like this in your config file (defined above):

config AnalyzeApplication 192.168.0.0/24 -1

Note that the "-1" thing on the end is a "zone".  Just use -1 there.  "Zones" is a DAQ concept that none of the public Snort DAQs really support (the idea being that you can put an interface in a zone and use it as a shorthand).  You don't really need it to use the networks-to-monitor feature.  Note that you can specify multiple networks above.

3) You can exclude certain ports from detection as well.  Here are some examples that you would add to you config file:

portexclusion dst tcp 22 192.168.0.0/24
portexclusion src udp 1234 192.168.0.0/24

Note that if not config file is specified, we just default to monitoring everything (as before).  Also note the following convention for "all":

0.0.0.0/0
::/0

Hope that sheds some light on the questions.

- Mike Stepanek
   mstepane at ...5...

From: Y M [mailto:snort at ...46...]
Sent: Friday, December 04, 2015 5:53 AM
To: snort-openappid <snort-openappid at lists.sourceforge.net>
Subject: [Snort-openappid] Snort 2.9.8.0 and OpenAppID


Hello,



While testing Snort 2.9.8.0 with OpenAppID version 254, the following was observed in Snort output which was not available in previous versions of Snort.



Defaulting to monitoring all Snort traffic for AppID.
Adding 0x00000000-0xFFFFFFFF (0x00000038) with zone -1
Adding ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff (0x00000038) with zone -1

.......

AppInfo: AppId 2683 is UNKNOWN
    3rd Party Dir: /usr/local/lib/thirdparty
    Monitoring Networks for any zone:
        0.0.0.0-255.255.255.255 0038
        ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 0038
    Excluded TCP Ports for Src:
    Excluded TCP Ports for Dst:
    Excluded UDP Ports Src:
    Excluded UDP Ports Dst:
WARNING: Directory /usr/local/lib/thirdparty does not exist.



Based on the above output, I have some questions:



1. Where can the "zone" be configured, if even possible? Should the "zone" be tied to $HOME_NET?

2. Is the "custom" directory designation officially replaced with "thirdparty"?

3. Where can the ports exclusions be configured, if even possible?



Looking at the current available documentation I could not find references to the above items.



Thanks.

YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20151204/79518e69/attachment.html>


More information about the Snort-openappid mailing list