[Snort-openappid] Create a custom Lua detector

Y M snort at ...46...
Wed Mar 15 11:10:01 EDT 2017


It is better to use the appid_detector_builder.sh tool that comes bundled with Snort's tarball within the tools directory. It works great and easy to use.


From: Emil Suleymanli <emil.suleymanli at ...145...>
Sent: Monday, March 13, 2017 9:43:54 PM
To: snort-openappid at lists.sourceforge.net
Subject: [Snort-openappid] Create a custom Lua detector


I am trying to create a custom Lua detector for OpenAppID to detect the applications used (based on URL's; so for websites). As an example, I created the Lua detector shown in the guide: https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/005/047/original/OpenDetectorDeveloperGuide.pdf?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1489415541&Signature=gAAwWqtfi33BBX4rrUup%2BrkhWls%3D

I named the detector payload_example.lua and placed it under /usr/local/etc/snort/appid/custom/lua on pfSense. I restarted Snort, and to test visited the webpage. However, in the app-stats logs the result is shown as "appName=unknown" just as it was before I created this custom detector.

Could anyone please let me know what I am missing, and why I cannot see the app name in the logs, but instead unknown?

Thanks in advance!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20170315/b8e86adb/attachment.html>

More information about the Snort-openappid mailing list