[Snort-openappid] Snort exits when using appid

Y M snort at ...46...
Tue Sep 1 08:37:53 EDT 2015


Are using custom appid detectors? If yes, then you need to create the userappid.conf such as:
touch /path/to/appid/custom/userappid.conf
It does not need to be filled with anything.
Sent from Mobile

    _____________________________
From: Gabriel Corre <gabriel.corre at ...94...>
Sent: Tuesday, September 1, 2015 3:32 PM
Subject: [Snort-openappid] Snort exits when using appid
To:  <snort-openappid at lists.sourceforge.net>


                     

Hi !
 
 I’m currently working on getting snort working with openappid and I think I’m pretty close.
 However, when I’m launching Snort I get :
 Could not read configuration file /usr/local/etc/cisco/app/custom/userappid.conf    

LuaJIT: Version LuaJIT 2.0.2    

    Setting tracker size to 211    

AppInfo: AppId 3861 is UNKNOWN    

AppInfo: AppId 3970 is UNKNOWN    

AppInfo: AppId 939 is UNKNOWN    

AppInfo: AppId 939 is UNKNOWN    

AppInfo: AppId 1697 is UNKNOWN    

AppInfo: AppId 3971 is UNKNOWN    

AppInfo: AppId 3971 is UNKNOWN    

    TCP Port-Only Services    

     

And Snort exits whithout any error message.
 I cannot find the “userappid.conf” but not sure this is the pb.
 
     

     

This is my Snort info :    

Version 2.9.7.5 GRE (Build 262)    

   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team    

           Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.    

           Copyright (C) 1998-2013 Sourcefire, Inc., et al.    

           Using libpcap version 1.7.4    

           Using PCRE version: 8.30 2012-02-04    

           Using ZLIB version: 1.2.7    

     

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 2.4  <Build 1>    

           Preprocessor Object: SF_POP  Version 1.0  <Build 1>    

           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>    

           Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>    

           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>    

           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>    

           Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>    

           Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>    

           Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>    

           Preprocessor Object: SF_SDF  Version 1.1  <Build 1>    

           Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>    

           Preprocessor Object: SF_GTP  Version 1.1  <Build 1>    

           Preprocessor Object: SF_DNS  Version 1.1  <Build 4>    

           Preprocessor Object: SF_SIP  Version 1.1  <Build 1>    

           Preprocessor Object: APPID  Version 1.1  <Build 4>    

           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>    

     

     

Any Idea?
 
 Cheers    

--    

     

Gabriel Corré    

Ingénieur Réseaux, Ops - Core Infrastructure    

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150901/b86b58f6/attachment.html>
-------------- next part --------------
------------------------------------------------------------------------------
-------------- next part --------------
_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please visit http://blog.snort.org to stay current on all the latest Snort news!


More information about the Snort-openappid mailing list