[Snort-openappid] Fwd: [Snort-users] Open App Id

valentin.giraud at ...128... valentin.giraud at ...128...
Tue Apr 5 04:43:29 EDT 2016


When i installed Openapp ID, i typed these commmands:
  tar zxvf snort-openappid.tar.gz
  mkdir /usr/local/lib/openappid
  mv odp/ /usr/local/lib/openappid/

So i don't have any "old" odp directory.

I tried each session per App, and for "reddit" (it's an example) 
Sometimes it works, and sometimes it's "unknown" or just say FireFox / 
DNS ...
My custom detector works a lot better than the others! Maybe because 
they are only with classic http url.

The version is : VERSION=264. Is it the good version ?


Le 04.04.2016 18:31, Y M a écrit :
> Make sure you delete the old odp/ directory and copy/move the new one.
> Attempting to simply overwrite may cause an issue. I have seen once
> and since then I always delete the odp/ directory and copy the new
> one. Inside your odp/ directory, there should a file called
> version.conf. What is the version reported inside this file?
> 
> If you have a relatively small pcap, try to split it into session per
> app per pcap file and run each against Snort and track down which one
> is missing or getting the unknown id. Start by removing your custom
> detectors and see if everything runs fine. This is more work but it
> should help pinpoint the issue.
> 
> YM
> ________________________________________
> From: valentin.giraud at ...128... 
> <valentin.giraud at ...128...>
> Sent: Monday, April 4, 2016 4:03 PM
> To: Mike Stepanek (mstepane)
> Cc: snort-openappid at lists.sourceforge.net
> Subject: Re: [Snort-openappid] Fwd: [Snort-users] Open App Id
> 
> Yes, i understood this is not really unknown. I think i have the last
> version: downloaded from https://www.snort.org/downloads in the
> OpenAppID part. So what should i do ? Is my setup look good ? (I join
> snort.conf)
> 
> 
> 
> Le 04.04.2016 17:47, Mike Stepanek (mstepane) a écrit :
>> Unknown doesn't really mean unknown.  :)  It means there's a detector
>> that actually is identifying something there, but it's reporting it as
>> an app ID that we don't know anything about (i.e., it's not in
>> appMapping.data).  Make sure you've for the latest ODP installed.
>> 
>> -----Original Message-----
>> From: valentin.giraud at ...128...
>> [mailto:valentin.giraud at ...128...]
>> Sent: Monday, April 04, 2016 11:09 AM
>> To: Mike Stepanek (mstepane) <mstepane at ...5...>
>> Cc: Y M <snort at ...46...>; snort-openappid at lists.sourceforge.net
>> Subject: RE: [Snort-openappid] Fwd: [Snort-users] Open App Id
>> 
>> Hi Mike, thank you for the additional answer !
>> 
>> Do you know where/how I can catch this "__unknow app" in order to
>> create custom detector for it ?
>> 
>> And a lot of request are not raised, for example i do 6 research With
>> Firefox and only 2 or 3 of the sites are logged, but there is a rule
>> for each site ... Any idea where it could come ?
>> 
>> Valentin.
>> 
>> 
>> Le 04.04.2016 16:49, Mike Stepanek (mstepane) a écrit :
>>> To add to that...
>>> 
>>>  - For facebook, I believe most of the detectors are based on SSL
>>> certificate info.  If you have any browsers falling back to SSL v2,
>>> the requested hostname won't be in the request, and you might not get
>>> a hit.
>>> 
>>>  - You'll "DNS" for DNS requests.  For traffic from browsers, I'd
>>> expect to see a bunch of those.  :)
>>> 
>>>  - If you're seeing __unknown, it basically means that a detector is
>>> reporting an app ID (number) that's not known in the app ID table
>>> (appMapping.data plus any dynamic ones that you create).  Therefore,
>>> it can't resolve a name for it to print out.  If it's reporting that
>>> for an app that you're getting from ODP, it's generally good to make
>>> sure you've got the latest from snort.org.  Mismatches do 
>>> occasionally
>>> slip though (best effort to keep them cleaned up).  If it's coming
>>> from your detector, you may be adding a service (or whatever) with an
>>> invalid app ID (you can convert an app ID name to a number).
>>> 
>>> -----Original Message-----
>>> From: Y M [mailto:snort at ...46...]
>>> Sent: Monday, April 04, 2016 9:49 AM
>>> To: valentin.giraud at ...128...
>>> Cc: snort-openappid at lists.sourceforge.net
>>> Subject: Re: [Snort-openappid] Fwd: [Snort-users] Open App Id
>>> 
>>> Hi Valentin,
>>> 
>>> To my limited understanding, the "appMapping.data" contains 
>>> statically
>>> assigned IDs to app detectors. Static assignment is for AppIDs that
>>> have been generated or vetted by the OpenAppID team, and is not meant
>>> to be used for custom IDs.
>>> 
>>> For custom IDs, it seems that the AppID engine will dynamically and
>>> automatically assign an ID to your custom app detector on the fly 
>>> when
>>> you run Snort. Any, please correct me if my understanding is
>>> completely off!
>>> 
>>> Can you please tell me how you are generating the detectors? Also 
>>> show
>>> where your custom detectors are being saved on disk. This will help
>>> troubleshoot why are you getting "__unknown" IDs.
>>> 
>>> YM
>>> 
>>> ________________________________________
>>> From: Joel Esler <jesler at ...5...>
>>> Sent: Monday, April 4, 2016 12:35 PM
>>> To: snort-openappid at lists.sourceforge.net
>>> Subject: [Snort-openappid] Fwd: [Snort-users] Open App Id
>>> 
>>> Forwarded message:
>>> 
>>>> From: valentin.giraud at ...128...
>>>> To: Snort Users <snort-users at lists.sourceforge.net>
>>>> Subject: [Snort-users] Fwd: Open App Id
>>>> Date: Mon, 4 Apr 2016 13:17:29 +0200
>>>> 
>>>> 
>>>> 
>>>> -------- Courriel original --------
>>>> Objet: Open App Id
>>>> Date: 04.04.2016 11:07
>>>> De: valentin.giraud at ...128...
>>>> À: snort-users at lists.sourceforge.net
>>>> 
>>>> Hi snort community,
>>>> 
>>>> I am currently trying to write some detectors in lua for App Id.
>>>> But there is 2 or 3 things that i need your help to understand.
>>>> - In what way can i use the "appMapping.data"? Because i wrote some
>>>> detector lua and they work without using it...
>>>> - There is a lot of app that are not working really well, e.g when i
>>>> go on "www.facebook.com" it works only time to time...  Have you any
>>>> idea ?
>>>> - I have a lot of DNS and __unknown AppName, do you have any idea,
>>>> where it could come from ?
>>>> 
>>>> examples of a session:
>>>> 
>>>> ********
>>>> statTime="1459759980",appName="Firefox",txBytes="1125",rxBytes="1524"
>>>> statTime="1459759980",appName="HTTP",txBytes="1125",rxBytes="1524"
>>>> statTime="1459759980",appName="dayumBen",txBytes="1125",rxBytes="1524"
>>>> statTime="1459759050",appName="DNS",txBytes="492",rxBytes="861"
>>>> statTime="1459759070",appName="DNS",txBytes="553",rxBytes="1163"
>>>> statTime="1459759190",appName="Firefox",txBytes="5600",rxBytes="12378"
>>>> statTime="1459759190",appName="HTTP",txBytes="5600",rxBytes="12378"
>>>> statTime="1459759190",appName="Squid",txBytes="5600",rxBytes="12378"
>>>> statTime="1459759080",appName="DNS",txBytes="1296",rxBytes="2201"
>>>> statTime="1459759090",appName="DNS",txBytes="219",rxBytes="396"
>>>> statTime="1459759180",appName="Firefox",txBytes="14961",rxBytes="17045"
>>>> statTime="1459759180",appName="HTTP",txBytes="14961",rxBytes="17045"
>>>> statTime="1459759180",appName="Google
>>>> Maps",txBytes="4340",rxBytes="6894"
>>>> statTime="1459759180",appName="Bing
>>>> Maps",txBytes="7549",rxBytes="7607"
>>>> statTime="1459759190",appName="Google
>>>> APIs",txBytes="5864",rxBytes="8620"
>>>> statTime="1459759190",appName="Firefox",txBytes="35136",rxBytes="37202"
>>>> statTime="1459759190",appName="HTTP",txBytes="35136",rxBytes="37202"
>>>> statTime="1459759190",appName="Google
>>>> Maps",txBytes="6535",rxBytes="3886"
>>>> statTime="1459759190",appName="Bing
>>>> Maps",txBytes="11167",rxBytes="12360"
>>>> statTime="1459759190",appName="Google
>>>> APIs",txBytes="3903",rxBytes="3202"
>>>> statTime="1459759190",appName="Firefox",txBytes="3903",rxBytes="3202"
>>>> statTime="1459759190",appName="HTTP",txBytes="3903",rxBytes="3202"
>>>> statTime="1459759150",appName="DNS",txBytes="1299",rxBytes="2095"
>>>> statTime="1459758980",appName="__unknown",txBytes="100",rxBytes="160"
>>>> statTime="1459759160",appName="DNS",txBytes="219",rxBytes="396"
>>>> 
>>>> ************
>>>> 
>>>> Valentin.
>>>> 
>>>> ---------------------------------------------------------------------
>>>> -
>>>> -------- _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>> 
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort news!
>>> 
>>> ----------------------------------------------------------------------
>>> -------- _______________________________________________
>>> Snort-openappid mailing list
>>> Snort-openappid at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-openappid
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>> ----------------------------------------------------------------------
>>> -------- _______________________________________________
>>> Snort-openappid mailing list
>>> Snort-openappid at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-openappid
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!




More information about the Snort-openappid mailing list