[Snort-openappid] Snort exits when using appid

snort at ...46... snort at ...46...
Tue Sep 1 08:58:27 EDT 2015


Is the error this time showing the same path as the first time?

Sent from Mobile




On Tue, Sep 1, 2015 at 5:46 AM -0700, "Gabriel Corre" <gabriel.corre at ...96.....> wrote:
Oh ok, no I don’t.
I created the file (you never know… ^^) and Snort load it but I still have these “AppInfo: AppId **** is UNKNOWN” and Snort still exits after showing all TCP and UDP ports.

--

Gabriel Corré

De : Y M [mailto:snort at ...46...]
Envoyé : mardi 1 septembre 2015 14:38
À : Gabriel Corre <gabriel.corre at ...94...>; snort-openappid at ...11...ceforge.net
Objet : Re: [Snort-openappid] Snort exits when using appid

Are using custom appid detectors? If yes, then you need to create the userappid.conf such as:

touch /path/to/appid/custom/userappid.conf

It does not need to be filled with anything.

Sent from Mobile

_____________________________
From: Gabriel Corre <gabriel.corre at ...94...<mailto:gabriel.corre at ...94...>>
Sent: Tuesday, September 1, 2015 3:32 PM
Subject: [Snort-openappid] Snort exits when using appid
To: <snort-openappid at lists.sourceforge.net<mailto:snort-openappid at ...7...rceforge.net>>

Hi !

I’m currently working on getting snort working with openappid and I think I’m pretty close.
However, when I’m launching Snort I get :
Could not read configuration file /usr/local/etc/cisco/app/custom/userappid.conf
LuaJIT: Version LuaJIT 2.0.2
    Setting tracker size to 211
AppInfo: AppId 3861 is UNKNOWN
AppInfo: AppId 3970 is UNKNOWN
AppInfo: AppId 939 is UNKNOWN
AppInfo: AppId 939 is UNKNOWN
AppInfo: AppId 1697 is UNKNOWN
AppInfo: AppId 3971 is UNKNOWN
AppInfo: AppId 3971 is UNKNOWN
    TCP Port-Only Services

And Snort exits whithout any error message.
I cannot find the “userappid.conf” but not sure this is the pb.

This is my Snort info :
Version 2.9.7.5 GRE (Build 262)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2015<tel:2014-2015> Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013<tel:1998-2013> Sourcefire, Inc., et al.
           Using libpcap version 1.7.4
           Using PCRE version: 8.30 2012-02-04
           Using ZLIB version: 1.2.7

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 2.4  <Build 1>
           Preprocessor Object: SF_POP  Version 1.0  <Build 1>
           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
           Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
           Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
           Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
           Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
           Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
           Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
           Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
           Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
           Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
           Preprocessor Object: APPID  Version 1.1  <Build 4>
           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>


Any Idea?

Cheers
--

Gabriel Corré
Ingénieur Réseaux, Ops - Core Infrastructure


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150901/d2128407/attachment.html>
-------------- next part --------------
------------------------------------------------------------------------------
-------------- next part --------------
_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please visit http://blog.snort.org to stay current on all the latest Snort news!


More information about the Snort-openappid mailing list