[Snort-openappid] Unknown preprocessor: "appid" while installing OPENAPPID

Costas Kleopa (ckleopa) ckleopa at ...5...
Sun Feb 15 10:03:09 EST 2015


If apt-get didn't get it uninstall then it was probably not installed with that either.

You can either delete snort, redownload the source, reconfigure it with OpenAppID and make a fresh build. When snort is installed on your system, make sure that the new build is the one you are accessing.

Thanks,
Costas

On Feb 15, 2015, at 9:55 AM, Rishabh Shah <rishabh420 at ...8...<mailto:rishabh420 at ...8...>> wrote:

Hi Costas,

Thanks for your prompt response. In that case, I will remove snort and install it again. But I am able to access snort commands after issuing apt-get remove snort. Is there a better way to uninstall snort?

root at ...70...:/etc/snort# apt-get remove snort
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package 'snort' is not installed, so not removed

root at ...70...:/etc# snort -?

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.7.0 GRE (Build 149)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.31 2012-07-06
           Using ZLIB version: 1.2.8



On Sun, Feb 15, 2015 at 8:07 PM, Costas Kleopa (ckleopa) <ckleopa at ...5...<mailto:ckleopa at ...5...>> wrote:
It seems that snort is not properly configured for OpenAppID. Take a look at this blog post and either check if step 5 is included in your configurations or something else from these instructions.

http://blog.snort.org/2014/03/openappid-install-video.html

Thanks,
Costas

On Feb 15, 2015, at 9:26 AM, Rishabh Shah <rishabh420 at ...8...<mailto:rishabh420 at ...8...>> wrote:

Hi Snort Team,

I am hitting another issue while compiling the snort.conf after appending preprocessor openappid in it. This is a snippet of the output after compiling the configuration file:

AppId Configuration
    Detector Path:          /usr/local/lib/openappid/
    appStats Files:         appstats-unified.log
    appStats Period:        60 secs
    appStats Rollover Size: 20971520 bytes
    appStats Rollover time: 86400 secs

    AppInfo read from /usr/local/lib/openappid//odp/appMapping.data
Loading configuration file /usr/local/lib/openappid//odp/appid.conf
AppId: adding appIds to list of referred web apps: 2032 1520 1306 1307 1308 1310 1311 1312 1313 1314 1315 1316 137 1318 1319 1336 1337 1362 1372 1373 1424 1425 1457 1491 1619 1656 1659 1720 1721 1722 1723 1724 1725 1726 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1750 1751 1752 1776 1778 1804 1850 1851 1852 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867 1869 1873 1874 1875 1876 1877 1878 1879 1881 1882 1883 1884 1885 1886 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1903 1904 1905 1906 1907 1908 1909 1910 1912 1913 1919 1920 1921 1923 1924 1925 1926 1928 1929 1930 1931 1933 1934 1935 1936 1937 1938 1940 1941 1942 1943 1944 1945 1946 1947 1948 1949 1950 1951 1953 1955 1956 1957 1958 1959 1960
AppId: adding appIds to list of referred web apps: 1963 1963 1964 1966 1969 1970 1972 1973 1975 1976 1977 1978 1979 1980 1981 1983 1984 1985 1986 1987 629 882 711 1393 1727 1728 1821 1992 1993 1806 1822 2022 2021 2129 2131 1460 1369 1392 2057 2062 1560 665 1458 929 761 2151 2157 2158 2159 2162 2019 2072 1508 1063 2261 2664 2690 3873 3867
Could not read configuration file /usr/local/lib/openappid//custom/userappid.conf
LuaJIT: Version LuaJIT 2.0.2
    Setting tracker size to 212
AppInfo: AppId 740 is UNKNOWN
AppInfo: AppId 740 is UNKNOWN
AppInfo: AppId 3861 is UNKNOWN
AppInfo: AppId 3885 is UNKNOWN
AppInfo: AppId 699 is UNKNOWN
root at ...70...:/etc/snort#

The output abruptly ends at Appinfo and fails to publish the following statements, which I receive when the snort.conf file is without OpenAppID preprocessor.

Snort successfully validated the configuration!
Snort exiting

Am I missing something here?

On Fri, Feb 6, 2015 at 10:59 AM, Rishabh Shah <rishabh420 at ...8...<mailto:rishabh420 at ...8...>> wrote:
Sure. Thank you so much for all your help.

On Thu, Feb 5, 2015 at 10:28 PM, Costas Kleopa (ckleopa) <ckleopa at ...5...<mailto:ckleopa at ...5...>> wrote:
Yes we are aware of these issues and we are planning of fixing then in one of our future releases.

Thanks
Costas

On Feb 5, 2015, at 11:42 AM, Rishabh Shah <rishabh420 at ...8...<mailto:rishabh420 at ...8...>> wrote:

Hi Costas,

Thanks for your prompt reply. That solved my problem. Also while running the configuration file, I saw the following message:
AppInfo: AppId 740 is UNKNOWN
AppInfo: AppId 740 is UNKNOWN
AppInfo: AppId 3861 is UNKNOWN
AppInfo: AppId 3885 is UNKNOWN
AppInfo: AppId 699 is UNKNOWN

Do we have a fix for this issue?

On Thu, Feb 5, 2015 at 8:44 PM, Costas Kleopa (ckleopa) <ckleopa at ...5...<mailto:ckleopa at ...5...>> wrote:
When you are compiling snort, did you make sure you run the configure command with:

./configure --enable-open-appid

Thanks
Costas

On Feb 5, 2015, at 7:07 AM, Rishabh Shah <rishabh420 at ...8...<mailto:rishabh420 at ...8...>> wrote:

Hi Snort Team,

Hope you are doing well.

I am installing Snort and OpenAPPID on my UBUNTU machine(Ubuntu 14.04.1 LTS). I was following the instructions listed on this<http://blog.snort.org/2014/03/openappid-install-video.html> website. I am hitting an issue in the 5th Step- Enabling OpenAppID in Snort.
I appended preprocessor appid : app_stats_filename appstats-unified.log, app_stats_period 60, app_detector_dir /usr/local/lib/openappid in the snort.conf file and executed [snort -c /etc/snort/snort.conf -T] to check if the configuration was clean or not. I ran in to the following error message:
Reputation config:
WARNING: Can't find any whitelist/blacklist entries. Reputation Preprocessor disabled.
ERROR: /etc/snort/snort.conf(515) Unknown preprocessor: "appid".
Fatal Error, Quitting..

Some details on Snort:
   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.7.0 GRE (Build 149)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.31 2012-07-06
           Using ZLIB version: 1.2.8


Can you help me to debug this issue? Many thanks in advance!!

Regards,
Rishabh Shah.
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net<mailto:Snort-openappid at ...12...rge.net>
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!




--
Regards,
Rishabh Shah.




--
Regards,
Rishabh Shah.



--
Regards,
Rishabh Shah.



--
Regards,
Rishabh Shah.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150215/377618f6/attachment.html>


More information about the Snort-openappid mailing list