[Snort-openappid] Possible issues using openappid

Cassiano Peixoto peixotocassiano at ...8...
Fri May 22 10:07:33 EDT 2015


I've been playing with openappid for some days and i ran into some possible
issues. Until now i have been just creating appstats to monitor my network
app access, but now i decided to block some apps using appid.

So, for instance i'm trying to block skype on my network with this rule:

reject tcp [any] any <> any any (msg : "skype:drop"; appid: skype;
sid:100002; rev:4; )

I can see skype matched on my appstats log file:

# u2openappid /var/log/snort/appstats-u2.log.1432303025 | grep skype

And i can see skype dropped on alert log:

# cat /var/log/snort/alert.fast | grep skype
05/22-10:57:43.209273  [**] [1:100002:4] skype:drop [**] [Priority: 0]
{TCP} x.x.x.x.:36101 ->
05/22-10:57:43.420046  [**] [1:100002:4] skype:drop [**] [Priority: 0]
{TCP} -> x.x.x.x:36101

My it's keeping working on my network, it wasn't blocked. Skype is just an
example, but i've the same issue with other apps like SSH and FTP (in fact
i don't know why but ftp protocol is not recognized by appid). Even if i
try to block chrome appid, it doesn't work.

Another thing is: many times i realized my snort process is increasing CPU
load after some reject rule matched, it's a kind of loop on rules, i'm not
sure what's going on.

Thanks and congrats for good work.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150522/46ab83e7/attachment.html>

More information about the Snort-openappid mailing list