[Snort-openappid] Fwd: [Snort-users] Open App Id

valentin.giraud at ...128... valentin.giraud at ...128...
Mon Apr 4 12:03:18 EDT 2016


Yes, i understood this is not really unknown. I think i have the last 
version: downloaded from https://www.snort.org/downloads in the 
OpenAppID part. So what should i do ? Is my setup look good ? (I join 
snort.conf)



Le 04.04.2016 17:47, Mike Stepanek (mstepane) a écrit :
> Unknown doesn't really mean unknown.  :)  It means there's a detector
> that actually is identifying something there, but it's reporting it as
> an app ID that we don't know anything about (i.e., it's not in
> appMapping.data).  Make sure you've for the latest ODP installed.
> 
> -----Original Message-----
> From: valentin.giraud at ...128...
> [mailto:valentin.giraud at ...128...]
> Sent: Monday, April 04, 2016 11:09 AM
> To: Mike Stepanek (mstepane) <mstepane at ...5...>
> Cc: Y M <snort at ...46...>; snort-openappid at lists.sourceforge.net
> Subject: RE: [Snort-openappid] Fwd: [Snort-users] Open App Id
> 
> Hi Mike, thank you for the additional answer !
> 
> Do you know where/how I can catch this "__unknow app" in order to
> create custom detector for it ?
> 
> And a lot of request are not raised, for example i do 6 research With
> Firefox and only 2 or 3 of the sites are logged, but there is a rule
> for each site ... Any idea where it could come ?
> 
> Valentin.
> 
> 
> Le 04.04.2016 16:49, Mike Stepanek (mstepane) a écrit :
>> To add to that...
>> 
>>  - For facebook, I believe most of the detectors are based on SSL
>> certificate info.  If you have any browsers falling back to SSL v2,
>> the requested hostname won't be in the request, and you might not get
>> a hit.
>> 
>>  - You'll "DNS" for DNS requests.  For traffic from browsers, I'd
>> expect to see a bunch of those.  :)
>> 
>>  - If you're seeing __unknown, it basically means that a detector is
>> reporting an app ID (number) that's not known in the app ID table
>> (appMapping.data plus any dynamic ones that you create).  Therefore,
>> it can't resolve a name for it to print out.  If it's reporting that
>> for an app that you're getting from ODP, it's generally good to make
>> sure you've got the latest from snort.org.  Mismatches do occasionally
>> slip though (best effort to keep them cleaned up).  If it's coming
>> from your detector, you may be adding a service (or whatever) with an
>> invalid app ID (you can convert an app ID name to a number).
>> 
>> -----Original Message-----
>> From: Y M [mailto:snort at ...46...]
>> Sent: Monday, April 04, 2016 9:49 AM
>> To: valentin.giraud at ...128...
>> Cc: snort-openappid at lists.sourceforge.net
>> Subject: Re: [Snort-openappid] Fwd: [Snort-users] Open App Id
>> 
>> Hi Valentin,
>> 
>> To my limited understanding, the "appMapping.data" contains statically
>> assigned IDs to app detectors. Static assignment is for AppIDs that
>> have been generated or vetted by the OpenAppID team, and is not meant
>> to be used for custom IDs.
>> 
>> For custom IDs, it seems that the AppID engine will dynamically and
>> automatically assign an ID to your custom app detector on the fly when
>> you run Snort. Any, please correct me if my understanding is
>> completely off!
>> 
>> Can you please tell me how you are generating the detectors? Also show
>> where your custom detectors are being saved on disk. This will help
>> troubleshoot why are you getting "__unknown" IDs.
>> 
>> YM
>> 
>> ________________________________________
>> From: Joel Esler <jesler at ...5...>
>> Sent: Monday, April 4, 2016 12:35 PM
>> To: snort-openappid at lists.sourceforge.net
>> Subject: [Snort-openappid] Fwd: [Snort-users] Open App Id
>> 
>> Forwarded message:
>> 
>>> From: valentin.giraud at ...128...
>>> To: Snort Users <snort-users at lists.sourceforge.net>
>>> Subject: [Snort-users] Fwd: Open App Id
>>> Date: Mon, 4 Apr 2016 13:17:29 +0200
>>> 
>>> 
>>> 
>>> -------- Courriel original --------
>>> Objet: Open App Id
>>> Date: 04.04.2016 11:07
>>> De: valentin.giraud at ...128...
>>> À: snort-users at lists.sourceforge.net
>>> 
>>> Hi snort community,
>>> 
>>> I am currently trying to write some detectors in lua for App Id.
>>> But there is 2 or 3 things that i need your help to understand.
>>> - In what way can i use the "appMapping.data"? Because i wrote some
>>> detector lua and they work without using it...
>>> - There is a lot of app that are not working really well, e.g when i
>>> go on "www.facebook.com" it works only time to time...  Have you any
>>> idea ?
>>> - I have a lot of DNS and __unknown AppName, do you have any idea,
>>> where it could come from ?
>>> 
>>> examples of a session:
>>> 
>>> ********
>>> statTime="1459759980",appName="Firefox",txBytes="1125",rxBytes="1524"
>>> statTime="1459759980",appName="HTTP",txBytes="1125",rxBytes="1524"
>>> statTime="1459759980",appName="dayumBen",txBytes="1125",rxBytes="1524"
>>> statTime="1459759050",appName="DNS",txBytes="492",rxBytes="861"
>>> statTime="1459759070",appName="DNS",txBytes="553",rxBytes="1163"
>>> statTime="1459759190",appName="Firefox",txBytes="5600",rxBytes="12378"
>>> statTime="1459759190",appName="HTTP",txBytes="5600",rxBytes="12378"
>>> statTime="1459759190",appName="Squid",txBytes="5600",rxBytes="12378"
>>> statTime="1459759080",appName="DNS",txBytes="1296",rxBytes="2201"
>>> statTime="1459759090",appName="DNS",txBytes="219",rxBytes="396"
>>> statTime="1459759180",appName="Firefox",txBytes="14961",rxBytes="17045"
>>> statTime="1459759180",appName="HTTP",txBytes="14961",rxBytes="17045"
>>> statTime="1459759180",appName="Google
>>> Maps",txBytes="4340",rxBytes="6894"
>>> statTime="1459759180",appName="Bing
>>> Maps",txBytes="7549",rxBytes="7607"
>>> statTime="1459759190",appName="Google
>>> APIs",txBytes="5864",rxBytes="8620"
>>> statTime="1459759190",appName="Firefox",txBytes="35136",rxBytes="37202"
>>> statTime="1459759190",appName="HTTP",txBytes="35136",rxBytes="37202"
>>> statTime="1459759190",appName="Google
>>> Maps",txBytes="6535",rxBytes="3886"
>>> statTime="1459759190",appName="Bing
>>> Maps",txBytes="11167",rxBytes="12360"
>>> statTime="1459759190",appName="Google
>>> APIs",txBytes="3903",rxBytes="3202"
>>> statTime="1459759190",appName="Firefox",txBytes="3903",rxBytes="3202"
>>> statTime="1459759190",appName="HTTP",txBytes="3903",rxBytes="3202"
>>> statTime="1459759150",appName="DNS",txBytes="1299",rxBytes="2095"
>>> statTime="1459758980",appName="__unknown",txBytes="100",rxBytes="160"
>>> statTime="1459759160",appName="DNS",txBytes="219",rxBytes="396"
>>> 
>>> ************
>>> 
>>> Valentin.
>>> 
>>> ---------------------------------------------------------------------
>>> -
>>> -------- _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>> 
>> ----------------------------------------------------------------------
>> -------- _______________________________________________
>> Snort-openappid mailing list
>> Snort-openappid at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-openappid
>> 
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>> ----------------------------------------------------------------------
>> -------- _______________________________________________
>> Snort-openappid mailing list
>> Snort-openappid at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-openappid
>> 
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: snort.conf
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20160404/0466bda3/attachment.ksh>


More information about the Snort-openappid mailing list