[Snort-openappid] Fwd: [Snort-users] Open App Id

Y M snort at ...46...
Mon Apr 4 12:31:40 EDT 2016


Make sure you delete the old odp/ directory and copy/move the new one. Attempting to simply overwrite may cause an issue. I have seen once and since then I always delete the odp/ directory and copy the new one. Inside your odp/ directory, there should a file called version.conf. What is the version reported inside this file?

If you have a relatively small pcap, try to split it into session per app per pcap file and run each against Snort and track down which one is missing or getting the unknown id. Start by removing your custom detectors and see if everything runs fine. This is more work but it should help pinpoint the issue.

YM
________________________________________
From: valentin.giraud at ...128... <valentin.giraud at ...128...>
Sent: Monday, April 4, 2016 4:03 PM
To: Mike Stepanek (mstepane)
Cc: snort-openappid at lists.sourceforge.net
Subject: Re: [Snort-openappid] Fwd: [Snort-users] Open App Id

Yes, i understood this is not really unknown. I think i have the last
version: downloaded from https://www.snort.org/downloads in the
OpenAppID part. So what should i do ? Is my setup look good ? (I join
snort.conf)



Le 04.04.2016 17:47, Mike Stepanek (mstepane) a écrit :
> Unknown doesn't really mean unknown.  :)  It means there's a detector
> that actually is identifying something there, but it's reporting it as
> an app ID that we don't know anything about (i.e., it's not in
> appMapping.data).  Make sure you've for the latest ODP installed.
>
> -----Original Message-----
> From: valentin.giraud at ...128...
> [mailto:valentin.giraud at ...128...]
> Sent: Monday, April 04, 2016 11:09 AM
> To: Mike Stepanek (mstepane) <mstepane at ...5...>
> Cc: Y M <snort at ...46...>; snort-openappid at lists.sourceforge.net
> Subject: RE: [Snort-openappid] Fwd: [Snort-users] Open App Id
>
> Hi Mike, thank you for the additional answer !
>
> Do you know where/how I can catch this "__unknow app" in order to
> create custom detector for it ?
>
> And a lot of request are not raised, for example i do 6 research With
> Firefox and only 2 or 3 of the sites are logged, but there is a rule
> for each site ... Any idea where it could come ?
>
> Valentin.
>
>
> Le 04.04.2016 16:49, Mike Stepanek (mstepane) a écrit :
>> To add to that...
>>
>>  - For facebook, I believe most of the detectors are based on SSL
>> certificate info.  If you have any browsers falling back to SSL v2,
>> the requested hostname won't be in the request, and you might not get
>> a hit.
>>
>>  - You'll "DNS" for DNS requests.  For traffic from browsers, I'd
>> expect to see a bunch of those.  :)
>>
>>  - If you're seeing __unknown, it basically means that a detector is
>> reporting an app ID (number) that's not known in the app ID table
>> (appMapping.data plus any dynamic ones that you create).  Therefore,
>> it can't resolve a name for it to print out.  If it's reporting that
>> for an app that you're getting from ODP, it's generally good to make
>> sure you've got the latest from snort.org.  Mismatches do occasionally
>> slip though (best effort to keep them cleaned up).  If it's coming
>> from your detector, you may be adding a service (or whatever) with an
>> invalid app ID (you can convert an app ID name to a number).
>>
>> -----Original Message-----
>> From: Y M [mailto:snort at ...46...]
>> Sent: Monday, April 04, 2016 9:49 AM
>> To: valentin.giraud at ...128...
>> Cc: snort-openappid at lists.sourceforge.net
>> Subject: Re: [Snort-openappid] Fwd: [Snort-users] Open App Id
>>
>> Hi Valentin,
>>
>> To my limited understanding, the "appMapping.data" contains statically
>> assigned IDs to app detectors. Static assignment is for AppIDs that
>> have been generated or vetted by the OpenAppID team, and is not meant
>> to be used for custom IDs.
>>
>> For custom IDs, it seems that the AppID engine will dynamically and
>> automatically assign an ID to your custom app detector on the fly when
>> you run Snort. Any, please correct me if my understanding is
>> completely off!
>>
>> Can you please tell me how you are generating the detectors? Also show
>> where your custom detectors are being saved on disk. This will help
>> troubleshoot why are you getting "__unknown" IDs.
>>
>> YM
>>
>> ________________________________________
>> From: Joel Esler <jesler at ...5...>
>> Sent: Monday, April 4, 2016 12:35 PM
>> To: snort-openappid at lists.sourceforge.net
>> Subject: [Snort-openappid] Fwd: [Snort-users] Open App Id
>>
>> Forwarded message:
>>
>>> From: valentin.giraud at ...128...
>>> To: Snort Users <snort-users at lists.sourceforge.net>
>>> Subject: [Snort-users] Fwd: Open App Id
>>> Date: Mon, 4 Apr 2016 13:17:29 +0200
>>>
>>>
>>>
>>> -------- Courriel original --------
>>> Objet: Open App Id
>>> Date: 04.04.2016 11:07
>>> De: valentin.giraud at ...128...
>>> À: snort-users at lists.sourceforge.net
>>>
>>> Hi snort community,
>>>
>>> I am currently trying to write some detectors in lua for App Id.
>>> But there is 2 or 3 things that i need your help to understand.
>>> - In what way can i use the "appMapping.data"? Because i wrote some
>>> detector lua and they work without using it...
>>> - There is a lot of app that are not working really well, e.g when i
>>> go on "www.facebook.com" it works only time to time...  Have you any
>>> idea ?
>>> - I have a lot of DNS and __unknown AppName, do you have any idea,
>>> where it could come from ?
>>>
>>> examples of a session:
>>>
>>> ********
>>> statTime="1459759980",appName="Firefox",txBytes="1125",rxBytes="1524"
>>> statTime="1459759980",appName="HTTP",txBytes="1125",rxBytes="1524"
>>> statTime="1459759980",appName="dayumBen",txBytes="1125",rxBytes="1524"
>>> statTime="1459759050",appName="DNS",txBytes="492",rxBytes="861"
>>> statTime="1459759070",appName="DNS",txBytes="553",rxBytes="1163"
>>> statTime="1459759190",appName="Firefox",txBytes="5600",rxBytes="12378"
>>> statTime="1459759190",appName="HTTP",txBytes="5600",rxBytes="12378"
>>> statTime="1459759190",appName="Squid",txBytes="5600",rxBytes="12378"
>>> statTime="1459759080",appName="DNS",txBytes="1296",rxBytes="2201"
>>> statTime="1459759090",appName="DNS",txBytes="219",rxBytes="396"
>>> statTime="1459759180",appName="Firefox",txBytes="14961",rxBytes="17045"
>>> statTime="1459759180",appName="HTTP",txBytes="14961",rxBytes="17045"
>>> statTime="1459759180",appName="Google
>>> Maps",txBytes="4340",rxBytes="6894"
>>> statTime="1459759180",appName="Bing
>>> Maps",txBytes="7549",rxBytes="7607"
>>> statTime="1459759190",appName="Google
>>> APIs",txBytes="5864",rxBytes="8620"
>>> statTime="1459759190",appName="Firefox",txBytes="35136",rxBytes="37202"
>>> statTime="1459759190",appName="HTTP",txBytes="35136",rxBytes="37202"
>>> statTime="1459759190",appName="Google
>>> Maps",txBytes="6535",rxBytes="3886"
>>> statTime="1459759190",appName="Bing
>>> Maps",txBytes="11167",rxBytes="12360"
>>> statTime="1459759190",appName="Google
>>> APIs",txBytes="3903",rxBytes="3202"
>>> statTime="1459759190",appName="Firefox",txBytes="3903",rxBytes="3202"
>>> statTime="1459759190",appName="HTTP",txBytes="3903",rxBytes="3202"
>>> statTime="1459759150",appName="DNS",txBytes="1299",rxBytes="2095"
>>> statTime="1459758980",appName="__unknown",txBytes="100",rxBytes="160"
>>> statTime="1459759160",appName="DNS",txBytes="219",rxBytes="396"
>>>
>>> ************
>>>
>>> Valentin.
>>>
>>> ---------------------------------------------------------------------
>>> -
>>> -------- _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>
>> ----------------------------------------------------------------------
>> -------- _______________________________________________
>> Snort-openappid mailing list
>> Snort-openappid at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-openappid
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>> ----------------------------------------------------------------------
>> -------- _______________________________________________
>> Snort-openappid mailing list
>> Snort-openappid at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-openappid
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!




More information about the Snort-openappid mailing list