[Snort-openappid] Fwd: [Snort-users] Open App Id

Mike Stepanek (mstepane) mstepane at ...5...
Mon Apr 4 10:49:48 EDT 2016

To add to that...

 - For facebook, I believe most of the detectors are based on SSL certificate info.  If you have any browsers falling back to SSL v2, the requested hostname won't be in the request, and you might not get a hit.

 - You'll "DNS" for DNS requests.  For traffic from browsers, I'd expect to see a bunch of those.  :)

 - If you're seeing __unknown, it basically means that a detector is reporting an app ID (number) that's not known in the app ID table (appMapping.data plus any dynamic ones that you create).  Therefore, it can't resolve a name for it to print out.  If it's reporting that for an app that you're getting from ODP, it's generally good to make sure you've got the latest from snort.org.  Mismatches do occasionally slip though (best effort to keep them cleaned up).  If it's coming from your detector, you may be adding a service (or whatever) with an invalid app ID (you can convert an app ID name to a number).

-----Original Message-----
From: Y M [mailto:snort at ...46...] 
Sent: Monday, April 04, 2016 9:49 AM
To: valentin.giraud at ...128...
Cc: snort-openappid at lists.sourceforge.net
Subject: Re: [Snort-openappid] Fwd: [Snort-users] Open App Id

Hi Valentin,

To my limited understanding, the "appMapping.data" contains statically assigned IDs to app detectors. Static assignment is for AppIDs that have been generated or vetted by the OpenAppID team, and is not meant to be used for custom IDs. 

For custom IDs, it seems that the AppID engine will dynamically and automatically assign an ID to your custom app detector on the fly when you run Snort. Any, please correct me if my understanding is completely off!

Can you please tell me how you are generating the detectors? Also show where your custom detectors are being saved on disk. This will help troubleshoot why are you getting "__unknown" IDs.


From: Joel Esler <jesler at ...5...>
Sent: Monday, April 4, 2016 12:35 PM
To: snort-openappid at lists.sourceforge.net
Subject: [Snort-openappid] Fwd: [Snort-users] Open App Id

Forwarded message:

> From: valentin.giraud at ...128...
> To: Snort Users <snort-users at lists.sourceforge.net>
> Subject: [Snort-users] Fwd: Open App Id
> Date: Mon, 4 Apr 2016 13:17:29 +0200
> -------- Courriel original --------
> Objet: Open App Id
> Date: 04.04.2016 11:07
> De: valentin.giraud at ...128...
> À: snort-users at lists.sourceforge.net
> Hi snort community,
> I am currently trying to write some detectors in lua for App Id.
> But there is 2 or 3 things that i need your help to understand.
> - In what way can i use the "appMapping.data"? Because i wrote some 
> detector lua and they work without using it...
> - There is a lot of app that are not working really well, e.g when i 
> go on "www.facebook.com" it works only time to time...  Have you any 
> idea ?
> - I have a lot of DNS and __unknown AppName, do you have any idea, 
> where it could come from ?
> examples of a session:
> ********
> statTime="1459759980",appName="Firefox",txBytes="1125",rxBytes="1524"
> statTime="1459759980",appName="HTTP",txBytes="1125",rxBytes="1524"
> statTime="1459759980",appName="dayumBen",txBytes="1125",rxBytes="1524"
> statTime="1459759050",appName="DNS",txBytes="492",rxBytes="861"
> statTime="1459759070",appName="DNS",txBytes="553",rxBytes="1163"
> statTime="1459759190",appName="Firefox",txBytes="5600",rxBytes="12378"
> statTime="1459759190",appName="HTTP",txBytes="5600",rxBytes="12378"
> statTime="1459759190",appName="Squid",txBytes="5600",rxBytes="12378"
> statTime="1459759080",appName="DNS",txBytes="1296",rxBytes="2201"
> statTime="1459759090",appName="DNS",txBytes="219",rxBytes="396"
> statTime="1459759180",appName="Firefox",txBytes="14961",rxBytes="17045"
> statTime="1459759180",appName="HTTP",txBytes="14961",rxBytes="17045"
> statTime="1459759180",appName="Google
> Maps",txBytes="4340",rxBytes="6894"
> statTime="1459759180",appName="Bing
> Maps",txBytes="7549",rxBytes="7607"
> statTime="1459759190",appName="Google
> APIs",txBytes="5864",rxBytes="8620"
> statTime="1459759190",appName="Firefox",txBytes="35136",rxBytes="37202"
> statTime="1459759190",appName="HTTP",txBytes="35136",rxBytes="37202"
> statTime="1459759190",appName="Google
> Maps",txBytes="6535",rxBytes="3886"
> statTime="1459759190",appName="Bing
> Maps",txBytes="11167",rxBytes="12360"
> statTime="1459759190",appName="Google
> APIs",txBytes="3903",rxBytes="3202"
> statTime="1459759190",appName="Firefox",txBytes="3903",rxBytes="3202"
> statTime="1459759190",appName="HTTP",txBytes="3903",rxBytes="3202"
> statTime="1459759150",appName="DNS",txBytes="1299",rxBytes="2095"
> statTime="1459758980",appName="__unknown",txBytes="100",rxBytes="160"
> statTime="1459759160",appName="DNS",txBytes="219",rxBytes="396"
> ************
> Valentin.
> ----------------------------------------------------------------------
> -------- _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!

Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net

Please visit http://blog.snort.org to stay current on all the latest Snort news!

More information about the Snort-openappid mailing list