[Snort-openappid] Unknown preprocessor: "appid" while installing OPENAPPID

Rishabh Shah rishabh420 at ...8...
Sun Feb 15 09:55:21 EST 2015


Hi Costas,

Thanks for your prompt response. In that case, I will remove snort and
install it again. But I am able to access snort commands after issuing
apt-get remove snort. Is there a better way to uninstall snort?

root at ...70...:/etc/snort# apt-get remove snort
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package 'snort' is not installed, so not removed

root at ...70...:/etc# snort -?

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.7.0 GRE (Build 149)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/contact#team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights
reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.31 2012-07-06
           Using ZLIB version: 1.2.8



On Sun, Feb 15, 2015 at 8:07 PM, Costas Kleopa (ckleopa) <ckleopa at ...5...>
wrote:

>  It seems that snort is not properly configured for OpenAppID. Take a
> look at this blog post and either check if step 5 is included in your
> configurations or something else from these instructions.
>
>  http://blog.snort.org/2014/03/openappid-install-video.html
>
> Thanks,
> Costas
>
> On Feb 15, 2015, at 9:26 AM, Rishabh Shah <rishabh420 at ...8...> wrote:
>
>   Hi Snort Team,
>
>  I am hitting another issue while compiling the snort.conf after
> appending preprocessor openappid in it. This is a snippet of the output
> after compiling the configuration file:
>
>  AppId Configuration
>     Detector Path:          /usr/local/lib/openappid/
>     appStats Files:         appstats-unified.log
>     appStats Period:        60 secs
>     appStats Rollover Size: 20971520 bytes
>     appStats Rollover time: 86400 secs
>
>      AppInfo read from /usr/local/lib/openappid//odp/appMapping.data
> Loading configuration file /usr/local/lib/openappid//odp/appid.conf
> AppId: adding appIds to list of referred web apps: 2032 1520 1306 1307
> 1308 1310 1311 1312 1313 1314 1315 1316 137 1318 1319 1336 1337 1362 1372
> 1373 1424 1425 1457 1491 1619 1656 1659 1720 1721 1722 1723 1724 1725 1726
> 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743
> 1744 1745 1746 1747 1748 1750 1751 1752 1776 1778 1804 1850 1851 1852 1853
> 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867 1869
> 1873 1874 1875 1876 1877 1878 1879 1881 1882 1883 1884 1885 1886 1888 1889
> 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1903 1904 1905 1906
> 1907 1908 1909 1910 1912 1913 1919 1920 1921 1923 1924 1925 1926 1928 1929
> 1930 1931 1933 1934 1935 1936 1937 1938 1940 1941 1942 1943 1944 1945 1946
> 1947 1948 1949 1950 1951 1953 1955 1956 1957 1958 1959 1960
> AppId: adding appIds to list of referred web apps: 1963 1963 1964 1966
> 1969 1970 1972 1973 1975 1976 1977 1978 1979 1980 1981 1983 1984 1985 1986
> 1987 629 882 711 1393 1727 1728 1821 1992 1993 1806 1822 2022 2021 2129
> 2131 1460 1369 1392 2057 2062 1560 665 1458 929 761 2151 2157 2158 2159
> 2162 2019 2072 1508 1063 2261 2664 2690 3873 3867
> Could not read configuration file
> /usr/local/lib/openappid//custom/userappid.conf
> LuaJIT: Version LuaJIT 2.0.2
>     Setting tracker size to 212
> AppInfo: AppId 740 is UNKNOWN
> AppInfo: AppId 740 is UNKNOWN
> AppInfo: AppId 3861 is UNKNOWN
> AppInfo: AppId 3885 is UNKNOWN
> AppInfo: AppId 699 is UNKNOWN
>  root at ...70...:/etc/snort#
>
>  The output abruptly ends at Appinfo and fails to publish the following
> statements, which I receive when the snort.conf file is without OpenAppID
> preprocessor.
>
>  Snort successfully validated the configuration!
> Snort exiting
>
>  Am I missing something here?
>
> On Fri, Feb 6, 2015 at 10:59 AM, Rishabh Shah <rishabh420 at ...8...>
> wrote:
>
>> Sure. Thank you so much for all your help.
>>
>> On Thu, Feb 5, 2015 at 10:28 PM, Costas Kleopa (ckleopa) <
>> ckleopa at ...5...> wrote:
>>
>>> Yes we are aware of these issues and we are planning of fixing then in
>>> one of our future releases.
>>>
>>>  Thanks
>>>  Costas
>>>
>>>  On Feb 5, 2015, at 11:42 AM, Rishabh Shah <rishabh420 at ...8...> wrote:
>>>
>>>  Hi Costas,
>>>
>>>  Thanks for your prompt reply. That solved my problem. Also while
>>> running the configuration file, I saw the following message:
>>>  AppInfo: AppId 740 is UNKNOWN
>>> AppInfo: AppId 740 is UNKNOWN
>>> AppInfo: AppId 3861 is UNKNOWN
>>> AppInfo: AppId 3885 is UNKNOWN
>>> AppInfo: AppId 699 is UNKNOWN
>>>
>>>  Do we have a fix for this issue?
>>>
>>> On Thu, Feb 5, 2015 at 8:44 PM, Costas Kleopa (ckleopa) <
>>> ckleopa at ...5...> wrote:
>>>
>>>> When you are compiling snort, did you make sure you run the configure
>>>> command with:
>>>>
>>>>  ./configure --enable-open-appid
>>>>
>>>>  Thanks
>>>> Costas
>>>>
>>>>   On Feb 5, 2015, at 7:07 AM, Rishabh Shah <rishabh420 at ...8...>
>>>> wrote:
>>>>
>>>>    Hi Snort Team,
>>>>
>>>>  Hope you are doing well.
>>>>
>>>>  I am installing Snort and OpenAPPID on my UBUNTU machine(Ubuntu
>>>> 14.04.1 LTS). I was following the instructions listed on this
>>>> <http://blog.snort.org/2014/03/openappid-install-video.html> website.
>>>> I am hitting an issue in the 5th Step- Enabling OpenAppID in Snort.
>>>> I appended preprocessor appid : app_stats_filename
>>>> appstats-unified.log, app_stats_period 60, app_detector_dir
>>>> /usr/local/lib/openappid in the snort.conf file and executed [snort -c
>>>> /etc/snort/snort.conf -T] to check if the configuration was clean or not. I
>>>> ran in to the following error message:
>>>>  Reputation config:
>>>> WARNING: Can't find any whitelist/blacklist entries. Reputation
>>>> Preprocessor disabled.
>>>> *ERROR: /etc/snort/snort.conf(515) Unknown preprocessor: "appid".*
>>>> Fatal Error, Quitting..
>>>>
>>>>  Some details on Snort:
>>>>     ,,_     -*> Snort! <*-
>>>>   o"  )~   Version 2.9.7.0 GRE (Build 149)
>>>>    ''''    By Martin Roesch & The Snort Team:
>>>> http://www.snort.org/contact#team
>>>>            Copyright (C) 2014 Cisco and/or its affiliates. All rights
>>>> reserved.
>>>>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>>>>            Using libpcap version 1.5.3
>>>>            Using PCRE version: 8.31 2012-07-06
>>>>            Using ZLIB version: 1.2.8
>>>>
>>>>
>>>>  Can you help me to debug this issue? Many thanks in advance!!
>>>>
>>>> Regards,
>>>> Rishabh Shah.
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Dive into the World of Parallel Programming. The Go Parallel Website,
>>>> sponsored by Intel and developed in partnership with Slashdot Media, is
>>>> your
>>>> hub for all things parallel software development, from weekly thought
>>>> leadership blogs to news, videos, case studies, tutorials and more.
>>>> Take a
>>>> look and join the conversation now.
>>>> http://goparallel.sourceforge.net/_______________________________________________
>>>> Snort-openappid mailing list
>>>> Snort-openappid at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-openappid
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort news!
>>>>
>>>>
>>>>
>>>
>>>
>>>  --
>>> Regards,
>>> Rishabh Shah.
>>>
>>>
>>>
>>
>>
>>   --
>> Regards,
>> Rishabh Shah.
>>
>
>
>
>  --
> Regards,
> Rishabh Shah.
>
>


-- 
Regards,
Rishabh Shah.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150215/3b0d1073/attachment.html>


More information about the Snort-openappid mailing list