[Snort-openappid] OpenAppID question [LOGS]

Emil Suleymanli emil.suleymanli at ...145...
Tue Feb 28 15:21:57 EST 2017


I have set up Snort on pfSense and configured OpenAppID on the interfaces. However, I cannot get the application detection results properly. Sometimes the websites I browse are identified in the logs, sometimes the same websites are not. There are times the applications that I have not used are shown in the logs (the ones that I used in the past with the timestat showing the current time). On pfSense GUI , I have enabled/configured OpenAppID, and also on the pfSense console (FreeBSD) I have added the following lines in the snort.conf file (it was the same before I changed the snort.conf file):

preprocessor appid: app_stats_filename appstats-u2.log, \
app_stats_period 60, \
app_detector_dir /usr/local/snort

What changes should I make to get the proper and correct results in the log?

Another question is, since some websites have embedded micro-apps, like a number of websites have facebook or twitter on the main pages, in the logs they are also shown as appNames as detected. So, as a result in the logs, besides the webpage that has actually been visited there are also going to be some other embedded applications identified. Since, they are all presented as "appName="  I cannot differentiate which app has actually been used, and which one is a micro-app embedded within the app used. Is there any way to differentiate these?

Thanks in advance.

Best Regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20170228/bd1762b7/attachment.html>

More information about the Snort-openappid mailing list