[Snort-openappid] Fwd: [Snort-users] Open App Id

Y M snort at ...46...
Mon Apr 4 11:03:05 EDT 2016


I thought the "unknown" cases were for your custom detectors, that's why I asked about the location of the custom ones. Which version of the OpenAppID are you running? At my current setup, I don't see the same issue.

I don't have a computer at my disposal at the moment, will check your configs once I get a chance.

Can you explain more about the intermittent issue? Is it for specific apps? If so which apps are they? Facebook can be a difficult one to track and troubleshoot. If you can provide a pcap where this behavior is observed people can take a look at it.

Please post back to the list and not only to my email, this way you get faster and smarter help :)

YM

Sent from Mobile

_____________________________
From: valentin.giraud at ...128...<mailto:valentin.giraud at ...128...>
Sent: Monday, April 4, 2016 5:20 PM
Subject: Re: [Snort-openappid] Fwd: [Snort-users] Open App Id
To: Y M <snort at ...46...<mailto:snort at ...46...>>


Hi, Y M and thank you for your prompt reply !

I wrote 2 detectors, but the "__unknown" problem was already here.
I give you my "snort.conf" and detectors files. The path to the custom
detectors is: "/usr/local/lib/openappid/custom/lua". I don't think the
problem come from the path.

One more question, do you have any idea why it work time to time?

Sincerely,
Valentin.


Le 04.04.2016 15:48, Y M a écrit :
> Hi Valentin,
>
> To my limited understanding, the "appMapping.data" contains statically
> assigned IDs to app detectors. Static assignment is for AppIDs that
> have been generated or vetted by the OpenAppID team, and is not meant
> to be used for custom IDs.
>
> For custom IDs, it seems that the AppID engine will dynamically and
> automatically assign an ID to your custom app detector on the fly when
> you run Snort. Any, please correct me if my understanding is
> completely off!
>
> Can you please tell me how you are generating the detectors? Also show
> where your custom detectors are being saved on disk. This will help
> troubleshoot why are you getting "__unknown" IDs.
>
> YM
>
> ________________________________________
> From: Joel Esler <jesler at ...5...<mailto:jesler at ...5...>>
> Sent: Monday, April 4, 2016 12:35 PM
> To: snort-openappid at lists.sourceforge.net<mailto:snort-openappid at ...107...urceforge.net>
> Subject: [Snort-openappid] Fwd: [Snort-users] Open App Id
>
> Forwarded message:
>
>> From: valentin.giraud at ...128...<mailto:valentin.giraud at ...128...>
>> To: Snort Users <snort-users at lists.sourceforge.net<mailto:snort-users at ...35...sts.sourceforge.net>>
>> Subject: [Snort-users] Fwd: Open App Id
>> Date: Mon, 4 Apr 2016 13:17:29 +0200
>>
>>
>>
>> -------- Courriel original --------
>> Objet: Open App Id
>> Date: 04.04.2016 11:07
>> De: valentin.giraud at ...128...<mailto:valentin.giraud at ...128...>
>> À: snort-users at lists.sourceforge.net<mailto:snort-users at ...12...rge.net>
>>
>> Hi snort community,
>>
>> I am currently trying to write some detectors in lua for App Id.
>> But there is 2 or 3 things that i need your help to understand.
>> - In what way can i use the "appMapping.data"? Because i wrote some
>> detector lua and they work without using it...
>> - There is a lot of app that are not working really well, e.g when i
>> go
>> on "www.facebook.com<http://www.facebook.com>" it works only time to time... Have you any idea
>> ?
>> - I have a lot of DNS and __unknown AppName, do you have any idea,
>> where
>> it could come from ?
>>
>> examples of a session:
>>
>> ********
>> statTime="1459759980<tel:1459759980>",appName="Firefox",txBytes="1125",rxBytes="1524"
>> statTime="1459759980<tel:1459759980>",appName="HTTP",txBytes="1125",rxBytes="1524"
>> statTime="1459759980<tel:1459759980>",appName="dayumBen",txBytes="1125",rxBytes="1524"
>> statTime="1459759050<tel:1459759050>",appName="DNS",txBytes="492",rxBytes="861"
>> statTime="1459759070<tel:1459759070>",appName="DNS",txBytes="553",rxBytes="1163"
>> statTime="1459759190<tel:1459759190>",appName="Firefox",txBytes="5600",rxBytes="12378"
>> statTime="1459759190<tel:1459759190>",appName="HTTP",txBytes="5600",rxBytes="12378"
>> statTime="1459759190<tel:1459759190>",appName="Squid",txBytes="5600",rxBytes="12378"
>> statTime="1459759080<tel:1459759080>",appName="DNS",txBytes="1296",rxBytes="2201"
>> statTime="1459759090<tel:1459759090>",appName="DNS",txBytes="219",rxBytes="396"
>> statTime="1459759180<tel:1459759180>",appName="Firefox",txBytes="14961",rxBytes="17045"
>> statTime="1459759180<tel:1459759180>",appName="HTTP",txBytes="14961",rxBytes="17045"
>> statTime="1459759180<tel:1459759180>",appName="Google
>> Maps",txBytes="4340",rxBytes="6894"
>> statTime="1459759180<tel:1459759180>",appName="Bing
>> Maps",txBytes="7549",rxBytes="7607"
>> statTime="1459759190<tel:1459759190>",appName="Google
>> APIs",txBytes="5864",rxBytes="8620"
>> statTime="1459759190<tel:1459759190>",appName="Firefox",txBytes="35136",rxBytes="37202"
>> statTime="1459759190<tel:1459759190>",appName="HTTP",txBytes="35136",rxBytes="37202"
>> statTime="1459759190<tel:1459759190>",appName="Google
>> Maps",txBytes="6535",rxBytes="3886"
>> statTime="1459759190<tel:1459759190>",appName="Bing
>> Maps",txBytes="11167",rxBytes="12360"
>> statTime="1459759190<tel:1459759190>",appName="Google
>> APIs",txBytes="3903",rxBytes="3202"
>> statTime="1459759190<tel:1459759190>",appName="Firefox",txBytes="3903",rxBytes="3202"
>> statTime="1459759190<tel:1459759190>",appName="HTTP",txBytes="3903",rxBytes="3202"
>> statTime="1459759150<tel:1459759150>",appName="DNS",txBytes="1299",rxBytes="2095"
>> statTime="1459758980<tel:1459758980>",appName="__unknown",txBytes="100",rxBytes="160"
>> statTime="1459759160<tel:1459759160>",appName="DNS",txBytes="219",rxBytes="396"
>>
>> ************
>>
>> Valentin.
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net<mailto:Snort-users at ...75...et>
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-openappid mailing list
> Snort-openappid at lists.sourceforge.net<mailto:Snort-openappid at ...56...forge.net>
> https://lists.sourceforge.net/lists/listinfo/snort-openappid
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20160404/9d5e9803/attachment.html>


More information about the Snort-openappid mailing list