[Snort-openappid] OpenAppID custom detector

Deivison Xavier deivisonvx at gmail.com
Mon Apr 23 23:51:06 EDT 2018


 Follow the generated .lua file and capture packages using wireshark.
More information of the application:
IP: 200.189.97.13
Door: 212
Protocol: TCP

Thank you for your help!

2018-04-23 21:49 GMT-03:00 Costas Kleopa (ckleopa) <ckleopa at cisco.com>:

> Could you share a small sample Pcaps and the lua script you generated for
> us to see what the issue is?
>
> Thanks,
> Costas
>
> On Apr 23, 2018, at 3:47 PM, Deivison Xavier via Snort-openappid <
> snort-openappid at lists.snort.org> wrote:
>
> I forgot to mention, I already used the tool, I can generate the .lua
> file. But in the log processing only appears as "unknown", the defined name
> appears.
>
> 2018-04-23 15:39 GMT-03:00 Y M via Snort-openappid <
> snort-openappid at lists.snort.org>:
>
>> You can use the “appid_detector_builder.sh” tool that comes with Snort’s
>> tarball in the bin directory.
>>
>> YM
>> ------------------------------
>> *From:* Snort-openappid <snort-openappid-bounces at lists.snort.org> on
>> behalf of Deivison Xavier via Snort-openappid <
>> snort-openappid at lists.snort.org>
>> *Sent:* Monday, April 23, 2018 9:36:04 PM
>> *To:* snort-openappid at lists.snort.org
>> *Subject:* [Snort-openappid] OpenAppID custom detector
>>
>> Hello,
>>
>> I am doing a college work on OpenAppID (Snort 2.9.9.11/Ubuntu16). I'm
>> having trouble creating a detector for a third-party application. I read
>> OpenDetectorDeveloperGuide3.0n (https://www.snort.org/downloa
>> ds/openappid/6328), but it was not clear how to customize a detector. Someone
>> with knowledge about the subject?
>>
>> --
>>
>>
>> *Att, *
>> *Deivison Xavier*
>>
>> _______________________________________________
>> Snort-openappid mailing list
>> Snort-openappid at lists.snort.org
>> https://lists.snort.org/mailman/listinfo/snort-openappid
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>>
>
>
> --
>
>
> *Att, *
> *Deivison Xavier*
>
> _______________________________________________
> Snort-openappid mailing list
> Snort-openappid at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-openappid
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>


-- 


*Att,*
*Deivison Xavier*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20180424/604f32af/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Mira.lua
Type: application/octet-stream
Size: 739 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20180424/604f32af/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Mira.pcapng
Type: application/octet-stream
Size: 1650668 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20180424/604f32af/attachment-0003.obj>


More information about the Snort-openappid mailing list