[Snort-openappid] Unknown preprocessor: "appid" while installing OPENAPPID

Rishabh Shah rishabh420 at ...8...
Sun Feb 15 11:04:08 EST 2015


Hi Costas,

I deleted snort and reinstalled it again using the guide. But I am running
into the same issue. While compiling the configuration file, it stops at:

    AppInfo read from /usr/local/lib/openappid/odp/appMapping.data
Loading configuration file /usr/local/lib/openappid/odp/appid.conf
AppId: adding appIds to list of referred web apps: 2032 1520 1306 1307 1308
1310 1311 1312 1313 1314 1315 1316 137 1318 1319 1336 1337 1362 1372 1373
1424 1425 1457 1491 1619 1656 1659 1720 1721 1722 1723 1724 1725 1726 1729
1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744
1745 1746 1747 1748 1750 1751 1752 1776 1778 1804 1850 1851 1852 1853 1854
1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867 1869 1873
1874 1875 1876 1877 1878 1879 1881 1882 1883 1884 1885 1886 1888 1889 1890
1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1903 1904 1905 1906 1907
1908 1909 1910 1912 1913 1919 1920 1921 1923 1924 1925 1926 1928 1929 1930
1931 1933 1934 1935 1936 1937 1938 1940 1941 1942 1943 1944 1945 1946 1947
1948 1949 1950 1951 1953 1955 1956 1957 1958 1959 1960
AppId: adding appIds to list of referred web apps: 1963 1963 1964 1966 1969
1970 1972 1973 1975 1976 1977 1978 1979 1980 1981 1983 1984 1985 1986 1987
629 882 711 1393 1727 1728 1821 1992 1993 1806 1822 2022 2021 2129 2131
1460 1369 1392 2057 2062 1560 665 1458 929 761 2151 2157 2158 2159 2162
2019 2072 1508 1063 2261 2664 2690 3873 3867
Could not read configuration file
/usr/local/lib/openappid/custom/userappid.conf
LuaJIT: Version LuaJIT 2.0.2
    Setting tracker size to 212
AppInfo: AppId 740 is UNKNOWN
AppInfo: AppId 740 is UNKNOWN
AppInfo: AppId 3861 is UNKNOWN
AppInfo: AppId 3885 is UNKNOWN
AppInfo: AppId 699 is UNKNOWN
root at ...70...:~/snort_src/#

On Sun, Feb 15, 2015 at 8:33 PM, Costas Kleopa (ckleopa) <ckleopa at ...5...>
wrote:

>  If apt-get didn't get it uninstall then it was probably not installed
> with that either.
>
>  You can either delete snort, redownload the source, reconfigure it with
> OpenAppID and make a fresh build. When snort is installed on your system,
> make sure that the new build is the one you are accessing.
>
> Thanks,
> Costas
>
> On Feb 15, 2015, at 9:55 AM, Rishabh Shah <rishabh420 at ...8...> wrote:
>
>   Hi Costas,
>
>  Thanks for your prompt response. In that case, I will remove snort and
> install it again. But I am able to access snort commands after issuing
> apt-get remove snort. Is there a better way to uninstall snort?
>
>  root at ...70...:/etc/snort# apt-get remove snort
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> Package 'snort' is not installed, so not removed
>
>  root at ...70...:/etc# snort -?
>
>     ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.7.0 GRE (Build 149)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/contact#team
>            Copyright (C) 2014 Cisco and/or its affiliates. All rights
> reserved.
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using libpcap version 1.5.3
>            Using PCRE version: 8.31 2012-07-06
>            Using ZLIB version: 1.2.8
>
>
>
> On Sun, Feb 15, 2015 at 8:07 PM, Costas Kleopa (ckleopa) <
> ckleopa at ...5...> wrote:
>
>>  It seems that snort is not properly configured for OpenAppID. Take a
>> look at this blog post and either check if step 5 is included in your
>> configurations or something else from these instructions.
>>
>>  http://blog.snort.org/2014/03/openappid-install-video.html
>>
>> Thanks,
>> Costas
>>
>> On Feb 15, 2015, at 9:26 AM, Rishabh Shah <rishabh420 at ...8...> wrote:
>>
>>   Hi Snort Team,
>>
>>  I am hitting another issue while compiling the snort.conf after
>> appending preprocessor openappid in it. This is a snippet of the output
>> after compiling the configuration file:
>>
>>  AppId Configuration
>>     Detector Path:          /usr/local/lib/openappid/
>>     appStats Files:         appstats-unified.log
>>     appStats Period:        60 secs
>>     appStats Rollover Size: 20971520 bytes
>>     appStats Rollover time: 86400 secs
>>
>>      AppInfo read from /usr/local/lib/openappid//odp/appMapping.data
>> Loading configuration file /usr/local/lib/openappid//odp/appid.conf
>> AppId: adding appIds to list of referred web apps: 2032 1520 1306 1307
>> 1308 1310 1311 1312 1313 1314 1315 1316 137 1318 1319 1336 1337 1362 1372
>> 1373 1424 1425 1457 1491 1619 1656 1659 1720 1721 1722 1723 1724 1725 1726
>> 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743
>> 1744 1745 1746 1747 1748 1750 1751 1752 1776 1778 1804 1850 1851 1852 1853
>> 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867 1869
>> 1873 1874 1875 1876 1877 1878 1879 1881 1882 1883 1884 1885 1886 1888 1889
>> 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1903 1904 1905 1906
>> 1907 1908 1909 1910 1912 1913 1919 1920 1921 1923 1924 1925 1926 1928 1929
>> 1930 1931 1933 1934 1935 1936 1937 1938 1940 1941 1942 1943 1944 1945 1946
>> 1947 1948 1949 1950 1951 1953 1955 1956 1957 1958 1959 1960
>> AppId: adding appIds to list of referred web apps: 1963 1963 1964 1966
>> 1969 1970 1972 1973 1975 1976 1977 1978 1979 1980 1981 1983 1984 1985 1986
>> 1987 629 882 711 1393 1727 1728 1821 1992 1993 1806 1822 2022 2021 2129
>> 2131 1460 1369 1392 2057 2062 1560 665 1458 929 761 2151 2157 2158 2159
>> 2162 2019 2072 1508 1063 2261 2664 2690 3873 3867
>> Could not read configuration file
>> /usr/local/lib/openappid//custom/userappid.conf
>> LuaJIT: Version LuaJIT 2.0.2
>>     Setting tracker size to 212
>> AppInfo: AppId 740 is UNKNOWN
>> AppInfo: AppId 740 is UNKNOWN
>> AppInfo: AppId 3861 is UNKNOWN
>> AppInfo: AppId 3885 is UNKNOWN
>> AppInfo: AppId 699 is UNKNOWN
>>  root at ...70...:/etc/snort#
>>
>>  The output abruptly ends at Appinfo and fails to publish the following
>> statements, which I receive when the snort.conf file is without OpenAppID
>> preprocessor.
>>
>>  Snort successfully validated the configuration!
>> Snort exiting
>>
>>  Am I missing something here?
>>
>> On Fri, Feb 6, 2015 at 10:59 AM, Rishabh Shah <rishabh420 at ...8...>
>> wrote:
>>
>>> Sure. Thank you so much for all your help.
>>>
>>> On Thu, Feb 5, 2015 at 10:28 PM, Costas Kleopa (ckleopa) <
>>> ckleopa at ...5...> wrote:
>>>
>>>> Yes we are aware of these issues and we are planning of fixing then in
>>>> one of our future releases.
>>>>
>>>>  Thanks
>>>>  Costas
>>>>
>>>>  On Feb 5, 2015, at 11:42 AM, Rishabh Shah <rishabh420 at ...8...>
>>>> wrote:
>>>>
>>>>  Hi Costas,
>>>>
>>>>  Thanks for your prompt reply. That solved my problem. Also while
>>>> running the configuration file, I saw the following message:
>>>>  AppInfo: AppId 740 is UNKNOWN
>>>> AppInfo: AppId 740 is UNKNOWN
>>>> AppInfo: AppId 3861 is UNKNOWN
>>>> AppInfo: AppId 3885 is UNKNOWN
>>>> AppInfo: AppId 699 is UNKNOWN
>>>>
>>>>  Do we have a fix for this issue?
>>>>
>>>> On Thu, Feb 5, 2015 at 8:44 PM, Costas Kleopa (ckleopa) <
>>>> ckleopa at ...5...> wrote:
>>>>
>>>>> When you are compiling snort, did you make sure you run the configure
>>>>> command with:
>>>>>
>>>>>  ./configure --enable-open-appid
>>>>>
>>>>>  Thanks
>>>>> Costas
>>>>>
>>>>>   On Feb 5, 2015, at 7:07 AM, Rishabh Shah <rishabh420 at ...8...>
>>>>> wrote:
>>>>>
>>>>>    Hi Snort Team,
>>>>>
>>>>>  Hope you are doing well.
>>>>>
>>>>>  I am installing Snort and OpenAPPID on my UBUNTU machine(Ubuntu
>>>>> 14.04.1 LTS). I was following the instructions listed on this
>>>>> <http://blog.snort.org/2014/03/openappid-install-video.html> website.
>>>>> I am hitting an issue in the 5th Step- Enabling OpenAppID in Snort.
>>>>> I appended preprocessor appid : app_stats_filename
>>>>> appstats-unified.log, app_stats_period 60, app_detector_dir
>>>>> /usr/local/lib/openappid in the snort.conf file and executed [snort
>>>>> -c /etc/snort/snort.conf -T] to check if the configuration was clean or
>>>>> not. I ran in to the following error message:
>>>>>  Reputation config:
>>>>> WARNING: Can't find any whitelist/blacklist entries. Reputation
>>>>> Preprocessor disabled.
>>>>> *ERROR: /etc/snort/snort.conf(515) Unknown preprocessor: "appid".*
>>>>> Fatal Error, Quitting..
>>>>>
>>>>>  Some details on Snort:
>>>>>     ,,_     -*> Snort! <*-
>>>>>   o"  )~   Version 2.9.7.0 GRE (Build 149)
>>>>>    ''''    By Martin Roesch & The Snort Team:
>>>>> http://www.snort.org/contact#team
>>>>>            Copyright (C) 2014 Cisco and/or its affiliates. All rights
>>>>> reserved.
>>>>>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>>>>>            Using libpcap version 1.5.3
>>>>>            Using PCRE version: 8.31 2012-07-06
>>>>>            Using ZLIB version: 1.2.8
>>>>>
>>>>>
>>>>>  Can you help me to debug this issue? Many thanks in advance!!
>>>>>
>>>>> Regards,
>>>>> Rishabh Shah.
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Dive into the World of Parallel Programming. The Go Parallel Website,
>>>>> sponsored by Intel and developed in partnership with Slashdot Media,
>>>>> is your
>>>>> hub for all things parallel software development, from weekly thought
>>>>> leadership blogs to news, videos, case studies, tutorials and more.
>>>>> Take a
>>>>> look and join the conversation now.
>>>>> http://goparallel.sourceforge.net/_______________________________________________
>>>>> Snort-openappid mailing list
>>>>> Snort-openappid at lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-openappid
>>>>>
>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>> Snort news!
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>  --
>>>> Regards,
>>>> Rishabh Shah.
>>>>
>>>>
>>>>
>>>
>>>
>>>   --
>>> Regards,
>>> Rishabh Shah.
>>>
>>
>>
>>
>>  --
>> Regards,
>> Rishabh Shah.
>>
>>
>
>
>  --
> Regards,
> Rishabh Shah.
>
>


-- 
Regards,
Rishabh Shah.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150215/30a697e1/attachment.html>


More information about the Snort-openappid mailing list