[Snort-openappid] OpenAppID question [LOGS]
emil.suleymanli at ...145...
Tue Feb 28 15:21:57 EST 2017
I have set up Snort on pfSense and configured OpenAppID on the interfaces. However, I cannot get the application detection results properly. Sometimes the websites I browse are identified in the logs, sometimes the same websites are not. There are times the applications that I have not used are shown in the logs (the ones that I used in the past with the timestat showing the current time). On pfSense GUI , I have enabled/configured OpenAppID, and also on the pfSense console (FreeBSD) I have added the following lines in the snort.conf file (it was the same before I changed the snort.conf file):
preprocessor appid: app_stats_filename appstats-u2.log, \
app_stats_period 60, \
What changes should I make to get the proper and correct results in the log?
Another question is, since some websites have embedded micro-apps, like a number of websites have facebook or twitter on the main pages, in the logs they are also shown as appNames as detected. So, as a result in the logs, besides the webpage that has actually been visited there are also going to be some other embedded applications identified. Since, they are all presented as "appName=" I cannot differentiate which app has actually been used, and which one is a micro-app embedded within the app used. Is there any way to differentiate these?
Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-openappid