[Snort-openappid] Create a custom Lua detector

Emil Suleymanli emil.suleymanli at ...145...
Mon Mar 13 14:43:54 EDT 2017


Hello,

I am trying to create a custom Lua detector for OpenAppID to detect the applications used (based on URL's; so for websites). As an example, I created the Lua detector shown in the guide: https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/005/047/original/OpenDetectorDeveloperGuide.pdf?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1489415541&Signature=gAAwWqtfi33BBX4rrUup%2BrkhWls%3D

I named the detector payload_example.lua and placed it under /usr/local/etc/snort/appid/custom/lua on pfSense. I restarted Snort, and to test visited the webpage. However, in the app-stats logs the result is shown as "appName=unknown" just as it was before I created this custom detector.

Could anyone please let me know what I am missing, and why I cannot see the app name in the logs, but instead unknown?


Thanks in advance!
Emil


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20170313/60ecfc7a/attachment.html>


More information about the Snort-openappid mailing list