[Snort-openappid] Fwd: [Snort-users] Open App Id

valentin.giraud at ...128... valentin.giraud at ...128...
Mon Apr 4 11:20:27 EDT 2016


 

I downloaded  the "snort-openappid.tar.gz" file from the snort's website
2 days ago. 

I don't really know how to explain.. i can do 10 research with my custom
rules, and only some of them will be noticed. Then i do this action
again,  none of them are logged ... 

In the same time, i look at the traffic and I can see packets so i think
it come from my configuration ... 

Le 04.04.2016 17:03, Y M a écrit : 

> I thought the "unknown" cases were for your custom detectors, that's why I asked about the location of the custom ones. Which version of the OpenAppID are you running? At my current setup, I don't see the same issue. 
> 
> I don't have a computer at my disposal at the moment, will check your configs once I get a chance. 
> 
> Can you explain more about the intermittent issue? Is it for specific apps? If so which apps are they? Facebook can be a difficult one to track and troubleshoot. If you can provide a pcap where this behavior is observed people can take a look at it. 
> 
> Please post back to the list and not only to my email, this way you get faster and smarter help :) 
> 
> YM
> 
> Sent from Mobile 
> _____________________________
> From: valentin.giraud at ...128...
> Sent: Monday, April 4, 2016 5:20 PM
> Subject: Re: [Snort-openappid] Fwd: [Snort-users] Open App Id
> To: Y M <snort at ...46...>
> 
> Hi, Y M and thank you for your prompt reply !
> 
> I wrote 2 detectors, but the "__unknown" problem was already here.
> I give you my "snort.conf" and detectors files. The path to the custom 
> detectors is: "/usr/local/lib/openappid/custom/lua". I don't think the 
> problem come from the path.
> 
> One more question, do you have any idea why it work time to time?
> 
> Sincerely,
> Valentin.
> 
> Le 04.04.2016 15:48, Y M a écrit :
>> Hi Valentin,
>> 
>> To my limited understanding, the "appMapping.data" contains statically
>> assigned IDs to app detectors. Static assignment is for AppIDs that
>> have been generated or vetted by the OpenAppID team, and is not meant
>> to be used for custom IDs.
>> 
>> For custom IDs, it seems that the AppID engine will dynamically and
>> automatically assign an ID to your custom app detector on the fly when
>> you run Snort. Any, please correct me if my understanding is
>> completely off!
>> 
>> Can you please tell me how you are generating the detectors? Also show
>> where your custom detectors are being saved on disk. This will help
>> troubleshoot why are you getting "__unknown" IDs.
>> 
>> YM
>> 
>> ________________________________________
>> From: Joel Esler <jesler at ...5...>
>> Sent: Monday, April 4, 2016 12:35 PM
>> To: snort-openappid at lists.sourceforge.net
>> Subject: [Snort-openappid] Fwd: [Snort-users] Open App Id
>> 
>> Forwarded message:
>> 
>>> From: valentin.giraud at ...128...
>>> To: Snort Users <snort-users at lists.sourceforge.net>
>>> Subject: [Snort-users] Fwd: Open App Id
>>> Date: Mon, 4 Apr 2016 13:17:29 +0200
>>> 
>>> 
>>> 
>>> -------- Courriel original --------
>>> Objet: Open App Id
>>> Date: 04.04.2016 11:07
>>> De: valentin.giraud at ...128...
>>> À: snort-users at lists.sourceforge.net
>>> 
>>> Hi snort community,
>>> 
>>> I am currently trying to write some detectors in lua for App Id.
>>> But there is 2 or 3 things that i need your help to understand.
>>> - In what way can i use the "appMapping.data"? Because i wrote some
>>> detector lua and they work without using it...
>>> - There is a lot of app that are not working really well, e.g when i
>>> go
>>> on "www.facebook.com [1]" it works only time to time... Have you any idea
>>> ?
>>> - I have a lot of DNS and __unknown AppName, do you have any idea,
>>> where
>>> it could come from ?
>>> 
>>> examples of a session:
>>> 
>>> ********
>>> statTime="1459759980 [2]",appName="Firefox",txBytes="1125",rxBytes="1524"
>>> statTime="1459759980 [2]",appName="HTTP",txBytes="1125",rxBytes="1524"
>>> statTime="1459759980 [2]",appName="dayumBen",txBytes="1125",rxBytes="1524"
>>> statTime="1459759050 [3]",appName="DNS",txBytes="492",rxBytes="861"
>>> statTime="1459759070 [4]",appName="DNS",txBytes="553",rxBytes="1163"
>>> statTime="1459759190 [5]",appName="Firefox",txBytes="5600",rxBytes="12378"
>>> statTime="1459759190 [5]",appName="HTTP",txBytes="5600",rxBytes="12378"
>>> statTime="1459759190 [5]",appName="Squid",txBytes="5600",rxBytes="12378"
>>> statTime="1459759080 [6]",appName="DNS",txBytes="1296",rxBytes="2201"
>>> statTime="1459759090 [7]",appName="DNS",txBytes="219",rxBytes="396"
>>> statTime="1459759180 [8]",appName="Firefox",txBytes="14961",rxBytes="17045"
>>> statTime="1459759180 [8]",appName="HTTP",txBytes="14961",rxBytes="17045"
>>> statTime="1459759180 [8]",appName="Google
>>> Maps",txBytes="4340",rxBytes="6894"
>>> statTime="1459759180 [8]",appName="Bing
>>> Maps",txBytes="7549",rxBytes="7607"
>>> statTime="1459759190 [5]",appName="Google
>>> APIs",txBytes="5864",rxBytes="8620"
>>> statTime="1459759190 [5]",appName="Firefox",txBytes="35136",rxBytes="37202"
>>> statTime="1459759190 [5]",appName="HTTP",txBytes="35136",rxBytes="37202"
>>> statTime="1459759190 [5]",appName="Google
>>> Maps",txBytes="6535",rxBytes="3886"
>>> statTime="1459759190 [5]",appName="Bing
>>> Maps",txBytes="11167",rxBytes="12360"
>>> statTime="1459759190 [5]",appName="Google
>>> APIs",txBytes="3903",rxBytes="3202"
>>> statTime="1459759190 [5]",appName="Firefox",txBytes="3903",rxBytes="3202"
>>> statTime="1459759190 [5]",appName="HTTP",txBytes="3903",rxBytes="3202"
>>> statTime="1459759150 [9]",appName="DNS",txBytes="1299",rxBytes="2095"
>>> statTime="1459758980 [10]",appName="__unknown",txBytes="100",rxBytes="160"
>>> statTime="1459759160 [11]",appName="DNS",txBytes="219",rxBytes="396"
>>> 
>>> ************
>>> 
>>> Valentin.
>>> 
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users [12]
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users [13]
>>> 
>>> Please visit http://blog.snort.org [14] to stay current on all the latest
>>> Snort news!
>> 
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Snort-openappid mailing list
>> Snort-openappid at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-openappid [15]
>> 
>> Please visit http://blog.snort.org [14] to stay current on all the latest 
>> Snort news!

  

Links:
------
[1] http://www.facebook.com
[2] tel:1459759980
[3] tel:1459759050
[4] tel:1459759070
[5] tel:1459759190
[6] tel:1459759080
[7] tel:1459759090
[8] tel:1459759180
[9] tel:1459759150
[10] tel:1459758980
[11] tel:1459759160
[12] https://lists.sourceforge.net/lists/listinfo/snort-users
[13] http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
[14] http://blog.snort.org
[15] https://lists.sourceforge.net/lists/listinfo/snort-openappid
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20160404/d3814891/attachment.html>


More information about the Snort-openappid mailing list