[Snort-openappid] Fwd: [Snort-users] Open App Id

Y M snort at ...46...
Mon Apr 4 09:48:56 EDT 2016


Hi Valentin,

To my limited understanding, the "appMapping.data" contains statically assigned IDs to app detectors. Static assignment is for AppIDs that have been generated or vetted by the OpenAppID team, and is not meant to be used for custom IDs. 

For custom IDs, it seems that the AppID engine will dynamically and automatically assign an ID to your custom app detector on the fly when you run Snort. Any, please correct me if my understanding is completely off!

Can you please tell me how you are generating the detectors? Also show where your custom detectors are being saved on disk. This will help troubleshoot why are you getting "__unknown" IDs.

YM

________________________________________
From: Joel Esler <jesler at ...5...>
Sent: Monday, April 4, 2016 12:35 PM
To: snort-openappid at lists.sourceforge.net
Subject: [Snort-openappid] Fwd: [Snort-users] Open App Id

Forwarded message:

> From: valentin.giraud at ...128...
> To: Snort Users <snort-users at lists.sourceforge.net>
> Subject: [Snort-users] Fwd: Open App Id
> Date: Mon, 4 Apr 2016 13:17:29 +0200
>
>
>
> -------- Courriel original --------
> Objet: Open App Id
> Date: 04.04.2016 11:07
> De: valentin.giraud at ...128...
> À: snort-users at lists.sourceforge.net
>
> Hi snort community,
>
> I am currently trying to write some detectors in lua for App Id.
> But there is 2 or 3 things that i need your help to understand.
> - In what way can i use the "appMapping.data"? Because i wrote some
> detector lua and they work without using it...
> - There is a lot of app that are not working really well, e.g when i
> go
> on "www.facebook.com" it works only time to time...  Have you any idea
> ?
> - I have a lot of DNS and __unknown AppName, do you have any idea,
> where
> it could come from ?
>
> examples of a session:
>
> ********
> statTime="1459759980",appName="Firefox",txBytes="1125",rxBytes="1524"
> statTime="1459759980",appName="HTTP",txBytes="1125",rxBytes="1524"
> statTime="1459759980",appName="dayumBen",txBytes="1125",rxBytes="1524"
> statTime="1459759050",appName="DNS",txBytes="492",rxBytes="861"
> statTime="1459759070",appName="DNS",txBytes="553",rxBytes="1163"
> statTime="1459759190",appName="Firefox",txBytes="5600",rxBytes="12378"
> statTime="1459759190",appName="HTTP",txBytes="5600",rxBytes="12378"
> statTime="1459759190",appName="Squid",txBytes="5600",rxBytes="12378"
> statTime="1459759080",appName="DNS",txBytes="1296",rxBytes="2201"
> statTime="1459759090",appName="DNS",txBytes="219",rxBytes="396"
> statTime="1459759180",appName="Firefox",txBytes="14961",rxBytes="17045"
> statTime="1459759180",appName="HTTP",txBytes="14961",rxBytes="17045"
> statTime="1459759180",appName="Google
> Maps",txBytes="4340",rxBytes="6894"
> statTime="1459759180",appName="Bing
> Maps",txBytes="7549",rxBytes="7607"
> statTime="1459759190",appName="Google
> APIs",txBytes="5864",rxBytes="8620"
> statTime="1459759190",appName="Firefox",txBytes="35136",rxBytes="37202"
> statTime="1459759190",appName="HTTP",txBytes="35136",rxBytes="37202"
> statTime="1459759190",appName="Google
> Maps",txBytes="6535",rxBytes="3886"
> statTime="1459759190",appName="Bing
> Maps",txBytes="11167",rxBytes="12360"
> statTime="1459759190",appName="Google
> APIs",txBytes="3903",rxBytes="3202"
> statTime="1459759190",appName="Firefox",txBytes="3903",rxBytes="3202"
> statTime="1459759190",appName="HTTP",txBytes="3903",rxBytes="3202"
> statTime="1459759150",appName="DNS",txBytes="1299",rxBytes="2095"
> statTime="1459758980",appName="__unknown",txBytes="100",rxBytes="160"
> statTime="1459759160",appName="DNS",txBytes="219",rxBytes="396"
>
> ************
>
> Valentin.
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!

------------------------------------------------------------------------------
_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please visit http://blog.snort.org to stay current on all the latest Snort news!



More information about the Snort-openappid mailing list