[Snort-openappid] OpenAppID not detecting

Costas Kleopa (ckleopa) ckleopa at ...5...
Wed May 10 11:37:02 EDT 2017


Can you try adding this in your snort command line, so you can accept bad checksums and jumbo frames?

 -k none -P 9000

Thanks
Costas

On May 10, 2017, at 11:13 AM, Fernando Pérez Cabrera <fernando.perez at ...151...<mailto:fernando.perez at ...151...>> wrote:

Good day to all! I’m using Snort 2.9.9 on a Ubuntu 16.04. To test its correct behavior, I have it running with no rules (except the test rule). I have installed it with openappid support. As I understand, barnyard2 does NOT support openappid metadata in snort logs, so I don’t have it running right now (please correct me if I’m wrong). I’m testing with Wikipedia but it happens with any other social network page ( facebook, reddit, etc…).

This is my test rule:
>  alert tcp  any any <> any any (msg:"wikipedia"; appid: wikipedia; sid:10000002; rev:001; classtype:unknown; GID:1;)
This is my sid-msg.map
>  1 || 10000002 || 001 || unknown || 0 || Wikipedia Access

When I use Firefox to enter Wikipedia, I see that snort is correctly logging the packets but is referring to them as appid:HTTP. Why is it not recognizing Wikipedia? (or any other site for that matter). Is it because some issue with analyzins HTTPS requests? Or HTTPS connect? And of course no alert is logged because it doesn’t detect appid: Wikipedia;

(Event)
        sensor id: 0    event id: 1     event second: 1494254051        event microsecond: 454104
        sig id: 18759   gen id: 1       revision: 4      classification: 2
        priority: 3     ip source: x.x.x.x  ip destination: x.x.x.x
        src port: 57312 dest port: 8080 protocol: 6     impact_flag: 0  blocked: 0
        mpls label: 0   vland id: 0     policy id: 0    appid: HTTP

Packet
        sensor id: 0    event id: 1     event second: 1494254051
        packet second: 1494254051       packet microsecond: 454104
        linktype: 1     packet_length: 269

[    0] 00 00 5E 00 01 01 00 71 C2 21 BD BC 08 00 45 00  ..^....q.!....E.
[   16] 00 FF 46 C7 00 00 80 06 87 9B AC 15 00 11 C0 A8  ..F.............
[   32] FE C7 DF E0 1F 90 C7 BC 26 EB 35 7C BB EC 50 18  ........&.5|..P.
[   48] 01 00 3C 46 00 00 43 4F 4E 4E 45 43 54 20 65 6E  ..<F..CONNECT en
[   64] 2E 77 69 6B 69 70 65 64 69 61 2E 6F 72 67 3A 34  .wikipedia.org<http://wikipedia.org/>:4
[   80] 34 33 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65  43 HTTP/1.1..Use
[   96] 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61  r-Agent: Mozilla
[  112] 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54  /5.0 (Windows NT
[  128] 20 31 30 2E 30 3B 20 57 69 6E 36 34 3B 20 78 36 10.0; Win64; x6
[  144] 34 3B 20 72 76 3A 35 32 2E 30 29 20 47 65 63 6B  4; rv:52.0) Geck
[  160] 6F 2F 32 30 31 30 30 31 30 31 20 46 69 72 65 66  o/20100101 Firef
[  176] 6F 78 2F 35 32 2E 30 0D 0A 50 72 6F 78 79 2D 43  ox/52.0..Proxy-C
[  192] 6F 6E 6E 65 63 74 69 6F 6E 3A 20 6B 65 65 70 2D  onnection: keep-
[  208] 61 6C 69 76 65 0D 0A 43 6F 6E 6E 65 63 74 69 6F  alive..Connectio
[  224] 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A 48  n: keep-alive..H
[  240] 6F 73 74 3A 20 65 6E 2E 77 69 6B 69 70 65 64 69  ost: en.wikipedi
[  256] 61 2E 6F 72 67 3A 34 34 33 0D 0A 0D 0A           a.org:443<http://a.org:443/>....

(ExtraDataHdr)
        event type: 4   event length: 52

(ExtraData)
        sensor id: 0    event id: 1     event second: 1494254051
        type: 9 datatype: 1     bloblength: 28  HTTP URI: en.wikipedia.org:443<http://en.wikipedia.org:443/>

(ExtraDataHdr)
        event type: 4   event length: 52

(ExtraData)
        sensor id: 0    event id: 1     event second: 1494254051
        type: 10        datatype: 1     bloblength: 28  HTTP Hostname: en.wikipedia.org:443<http://en.wikipedia.org:443/>

As you can see, it just displays appid:HTTP as if it could not read the header or parse the packed data? Someone please help!
Best regards to all!

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org<http://slashdot.org/>! http://sdm.link/slashdot_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net<mailto:Snort-openappid at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20170510/b47d5fcd/attachment.html>


More information about the Snort-openappid mailing list