[Snort-openappid] Fwd: [Snort-users] Open App Id

valentin.giraud at ...128... valentin.giraud at ...128...
Mon Apr 4 11:08:57 EDT 2016


Hi Mike, thank you for the additional answer !

Do you know where/how I can catch this "__unknow app" in order to create 
custom detector for it ?

And a lot of request are not raised, for example i do 6 research With 
Firefox and only 2 or 3 of the sites are logged, but there is a rule for 
each site ... Any idea where it could come ?

Valentin.


Le 04.04.2016 16:49, Mike Stepanek (mstepane) a écrit :
> To add to that...
> 
>  - For facebook, I believe most of the detectors are based on SSL
> certificate info.  If you have any browsers falling back to SSL v2,
> the requested hostname won't be in the request, and you might not get
> a hit.
> 
>  - You'll "DNS" for DNS requests.  For traffic from browsers, I'd
> expect to see a bunch of those.  :)
> 
>  - If you're seeing __unknown, it basically means that a detector is
> reporting an app ID (number) that's not known in the app ID table
> (appMapping.data plus any dynamic ones that you create).  Therefore,
> it can't resolve a name for it to print out.  If it's reporting that
> for an app that you're getting from ODP, it's generally good to make
> sure you've got the latest from snort.org.  Mismatches do occasionally
> slip though (best effort to keep them cleaned up).  If it's coming
> from your detector, you may be adding a service (or whatever) with an
> invalid app ID (you can convert an app ID name to a number).
> 
> -----Original Message-----
> From: Y M [mailto:snort at ...46...]
> Sent: Monday, April 04, 2016 9:49 AM
> To: valentin.giraud at ...128...
> Cc: snort-openappid at lists.sourceforge.net
> Subject: Re: [Snort-openappid] Fwd: [Snort-users] Open App Id
> 
> Hi Valentin,
> 
> To my limited understanding, the "appMapping.data" contains statically
> assigned IDs to app detectors. Static assignment is for AppIDs that
> have been generated or vetted by the OpenAppID team, and is not meant
> to be used for custom IDs.
> 
> For custom IDs, it seems that the AppID engine will dynamically and
> automatically assign an ID to your custom app detector on the fly when
> you run Snort. Any, please correct me if my understanding is
> completely off!
> 
> Can you please tell me how you are generating the detectors? Also show
> where your custom detectors are being saved on disk. This will help
> troubleshoot why are you getting "__unknown" IDs.
> 
> YM
> 
> ________________________________________
> From: Joel Esler <jesler at ...5...>
> Sent: Monday, April 4, 2016 12:35 PM
> To: snort-openappid at lists.sourceforge.net
> Subject: [Snort-openappid] Fwd: [Snort-users] Open App Id
> 
> Forwarded message:
> 
>> From: valentin.giraud at ...128...
>> To: Snort Users <snort-users at lists.sourceforge.net>
>> Subject: [Snort-users] Fwd: Open App Id
>> Date: Mon, 4 Apr 2016 13:17:29 +0200
>> 
>> 
>> 
>> -------- Courriel original --------
>> Objet: Open App Id
>> Date: 04.04.2016 11:07
>> De: valentin.giraud at ...128...
>> À: snort-users at lists.sourceforge.net
>> 
>> Hi snort community,
>> 
>> I am currently trying to write some detectors in lua for App Id.
>> But there is 2 or 3 things that i need your help to understand.
>> - In what way can i use the "appMapping.data"? Because i wrote some
>> detector lua and they work without using it...
>> - There is a lot of app that are not working really well, e.g when i
>> go on "www.facebook.com" it works only time to time...  Have you any
>> idea ?
>> - I have a lot of DNS and __unknown AppName, do you have any idea,
>> where it could come from ?
>> 
>> examples of a session:
>> 
>> ********
>> statTime="1459759980",appName="Firefox",txBytes="1125",rxBytes="1524"
>> statTime="1459759980",appName="HTTP",txBytes="1125",rxBytes="1524"
>> statTime="1459759980",appName="dayumBen",txBytes="1125",rxBytes="1524"
>> statTime="1459759050",appName="DNS",txBytes="492",rxBytes="861"
>> statTime="1459759070",appName="DNS",txBytes="553",rxBytes="1163"
>> statTime="1459759190",appName="Firefox",txBytes="5600",rxBytes="12378"
>> statTime="1459759190",appName="HTTP",txBytes="5600",rxBytes="12378"
>> statTime="1459759190",appName="Squid",txBytes="5600",rxBytes="12378"
>> statTime="1459759080",appName="DNS",txBytes="1296",rxBytes="2201"
>> statTime="1459759090",appName="DNS",txBytes="219",rxBytes="396"
>> statTime="1459759180",appName="Firefox",txBytes="14961",rxBytes="17045"
>> statTime="1459759180",appName="HTTP",txBytes="14961",rxBytes="17045"
>> statTime="1459759180",appName="Google
>> Maps",txBytes="4340",rxBytes="6894"
>> statTime="1459759180",appName="Bing
>> Maps",txBytes="7549",rxBytes="7607"
>> statTime="1459759190",appName="Google
>> APIs",txBytes="5864",rxBytes="8620"
>> statTime="1459759190",appName="Firefox",txBytes="35136",rxBytes="37202"
>> statTime="1459759190",appName="HTTP",txBytes="35136",rxBytes="37202"
>> statTime="1459759190",appName="Google
>> Maps",txBytes="6535",rxBytes="3886"
>> statTime="1459759190",appName="Bing
>> Maps",txBytes="11167",rxBytes="12360"
>> statTime="1459759190",appName="Google
>> APIs",txBytes="3903",rxBytes="3202"
>> statTime="1459759190",appName="Firefox",txBytes="3903",rxBytes="3202"
>> statTime="1459759190",appName="HTTP",txBytes="3903",rxBytes="3202"
>> statTime="1459759150",appName="DNS",txBytes="1299",rxBytes="2095"
>> statTime="1459758980",appName="__unknown",txBytes="100",rxBytes="160"
>> statTime="1459759160",appName="DNS",txBytes="219",rxBytes="396"
>> 
>> ************
>> 
>> Valentin.
>> 
>> ----------------------------------------------------------------------
>> -------- _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-openappid mailing list
> Snort-openappid at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-openappid
> 
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-openappid mailing list
> Snort-openappid at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-openappid
> 
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!




More information about the Snort-openappid mailing list