[Snort-openappid] Fwd: [Snort-users] Open App Id

Mike Stepanek (mstepane) mstepane at ...5...
Mon Apr 4 11:47:10 EDT 2016


Unknown doesn't really mean unknown.  :)  It means there's a detector that actually is identifying something there, but it's reporting it as an app ID that we don't know anything about (i.e., it's not in appMapping.data).  Make sure you've for the latest ODP installed.

-----Original Message-----
From: valentin.giraud at ...128... [mailto:valentin.giraud at ...128...] 
Sent: Monday, April 04, 2016 11:09 AM
To: Mike Stepanek (mstepane) <mstepane at ...5...>
Cc: Y M <snort at ...46...>; snort-openappid at lists.sourceforge.net
Subject: RE: [Snort-openappid] Fwd: [Snort-users] Open App Id

Hi Mike, thank you for the additional answer !

Do you know where/how I can catch this "__unknow app" in order to create custom detector for it ?

And a lot of request are not raised, for example i do 6 research With Firefox and only 2 or 3 of the sites are logged, but there is a rule for each site ... Any idea where it could come ?

Valentin.


Le 04.04.2016 16:49, Mike Stepanek (mstepane) a écrit :
> To add to that...
> 
>  - For facebook, I believe most of the detectors are based on SSL 
> certificate info.  If you have any browsers falling back to SSL v2, 
> the requested hostname won't be in the request, and you might not get 
> a hit.
> 
>  - You'll "DNS" for DNS requests.  For traffic from browsers, I'd 
> expect to see a bunch of those.  :)
> 
>  - If you're seeing __unknown, it basically means that a detector is 
> reporting an app ID (number) that's not known in the app ID table 
> (appMapping.data plus any dynamic ones that you create).  Therefore, 
> it can't resolve a name for it to print out.  If it's reporting that 
> for an app that you're getting from ODP, it's generally good to make 
> sure you've got the latest from snort.org.  Mismatches do occasionally 
> slip though (best effort to keep them cleaned up).  If it's coming 
> from your detector, you may be adding a service (or whatever) with an 
> invalid app ID (you can convert an app ID name to a number).
> 
> -----Original Message-----
> From: Y M [mailto:snort at ...46...]
> Sent: Monday, April 04, 2016 9:49 AM
> To: valentin.giraud at ...128...
> Cc: snort-openappid at lists.sourceforge.net
> Subject: Re: [Snort-openappid] Fwd: [Snort-users] Open App Id
> 
> Hi Valentin,
> 
> To my limited understanding, the "appMapping.data" contains statically 
> assigned IDs to app detectors. Static assignment is for AppIDs that 
> have been generated or vetted by the OpenAppID team, and is not meant 
> to be used for custom IDs.
> 
> For custom IDs, it seems that the AppID engine will dynamically and 
> automatically assign an ID to your custom app detector on the fly when 
> you run Snort. Any, please correct me if my understanding is 
> completely off!
> 
> Can you please tell me how you are generating the detectors? Also show 
> where your custom detectors are being saved on disk. This will help 
> troubleshoot why are you getting "__unknown" IDs.
> 
> YM
> 
> ________________________________________
> From: Joel Esler <jesler at ...5...>
> Sent: Monday, April 4, 2016 12:35 PM
> To: snort-openappid at lists.sourceforge.net
> Subject: [Snort-openappid] Fwd: [Snort-users] Open App Id
> 
> Forwarded message:
> 
>> From: valentin.giraud at ...128...
>> To: Snort Users <snort-users at lists.sourceforge.net>
>> Subject: [Snort-users] Fwd: Open App Id
>> Date: Mon, 4 Apr 2016 13:17:29 +0200
>> 
>> 
>> 
>> -------- Courriel original --------
>> Objet: Open App Id
>> Date: 04.04.2016 11:07
>> De: valentin.giraud at ...128...
>> À: snort-users at lists.sourceforge.net
>> 
>> Hi snort community,
>> 
>> I am currently trying to write some detectors in lua for App Id.
>> But there is 2 or 3 things that i need your help to understand.
>> - In what way can i use the "appMapping.data"? Because i wrote some 
>> detector lua and they work without using it...
>> - There is a lot of app that are not working really well, e.g when i 
>> go on "www.facebook.com" it works only time to time...  Have you any 
>> idea ?
>> - I have a lot of DNS and __unknown AppName, do you have any idea, 
>> where it could come from ?
>> 
>> examples of a session:
>> 
>> ********
>> statTime="1459759980",appName="Firefox",txBytes="1125",rxBytes="1524"
>> statTime="1459759980",appName="HTTP",txBytes="1125",rxBytes="1524"
>> statTime="1459759980",appName="dayumBen",txBytes="1125",rxBytes="1524"
>> statTime="1459759050",appName="DNS",txBytes="492",rxBytes="861"
>> statTime="1459759070",appName="DNS",txBytes="553",rxBytes="1163"
>> statTime="1459759190",appName="Firefox",txBytes="5600",rxBytes="12378"
>> statTime="1459759190",appName="HTTP",txBytes="5600",rxBytes="12378"
>> statTime="1459759190",appName="Squid",txBytes="5600",rxBytes="12378"
>> statTime="1459759080",appName="DNS",txBytes="1296",rxBytes="2201"
>> statTime="1459759090",appName="DNS",txBytes="219",rxBytes="396"
>> statTime="1459759180",appName="Firefox",txBytes="14961",rxBytes="17045"
>> statTime="1459759180",appName="HTTP",txBytes="14961",rxBytes="17045"
>> statTime="1459759180",appName="Google
>> Maps",txBytes="4340",rxBytes="6894"
>> statTime="1459759180",appName="Bing
>> Maps",txBytes="7549",rxBytes="7607"
>> statTime="1459759190",appName="Google
>> APIs",txBytes="5864",rxBytes="8620"
>> statTime="1459759190",appName="Firefox",txBytes="35136",rxBytes="37202"
>> statTime="1459759190",appName="HTTP",txBytes="35136",rxBytes="37202"
>> statTime="1459759190",appName="Google
>> Maps",txBytes="6535",rxBytes="3886"
>> statTime="1459759190",appName="Bing
>> Maps",txBytes="11167",rxBytes="12360"
>> statTime="1459759190",appName="Google
>> APIs",txBytes="3903",rxBytes="3202"
>> statTime="1459759190",appName="Firefox",txBytes="3903",rxBytes="3202"
>> statTime="1459759190",appName="HTTP",txBytes="3903",rxBytes="3202"
>> statTime="1459759150",appName="DNS",txBytes="1299",rxBytes="2095"
>> statTime="1459758980",appName="__unknown",txBytes="100",rxBytes="160"
>> statTime="1459759160",appName="DNS",txBytes="219",rxBytes="396"
>> 
>> ************
>> 
>> Valentin.
>> 
>> ---------------------------------------------------------------------
>> -
>> -------- _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest 
>> Snort news!
> 
> ----------------------------------------------------------------------
> -------- _______________________________________________
> Snort-openappid mailing list
> Snort-openappid at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-openappid
> 
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!
> ----------------------------------------------------------------------
> -------- _______________________________________________
> Snort-openappid mailing list
> Snort-openappid at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-openappid
> 
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!


More information about the Snort-openappid mailing list