[Snort-openappid] [Snort-users] Could not read appName. Line Snort Differs AppKey

Payal Gupte (pgupte) pgupte at cisco.com
Thu Aug 16 13:51:53 EDT 2018


Hi Damian,

We have identified the cause of the errors and will include the fix in a future release. Meanwhile, the upcoming OpenAppID detector package release (version 303) contains fix for the bogus message “Line Snort Differs AppKey”. Please let us know if you have any more issues.

Thanks,
Payal


From: "Mike Stepanek (mstepane)" <mstepane at cisco.com>
Date: Friday, August 3, 2018 at 1:54 PM
To: "FNU VUTLA HAREESH CHANDRA (hvutla)" <hvutla at cisco.com>, Payal Gupte <pgupte at cisco.com>
Cc: "Costas Kleopa (ckleopa)" <ckleopa at cisco.com>
Subject: FW: [Snort-users] Could not read appName. Line Snort Differs AppKey

Hareesh/Payal -

Can you guys help out on this one (somebody from your team)? I was looking into it... and then realized that it was Snort2 (I got distracted by the fact that it was similar to something recently seen on Snort3). Looking at the attached log, it looks like he's running OK. He just gets some AppID complaints at startup. If you have something (or need more from him), you should be able to reply right back to the snort-users list.

The first thing I saw was that warning about the bad line at the top of appMapping.data (which I think Cliff just fixed). That was the one that distracted me. :)

He's also seeing some of these...

AppInfo: AppId 4109 is UNKNOWN

I checked 4109, and it's not in the ODP active list, but we do have Lua detectors for it. There are a bunch more (below).

For the "Invalid direct client application" ones, I stopped looking once I realized it was Snort2.

- Mike

From: Damian Torres <datorr2 at gmail.com>
Date: Friday, August 3, 2018 at 12:00 PM
To: "Mike Stepanek (mstepane)" <mstepane at cisco.com>, "snort-users at lists.snort.org" <snort-users at lists.snort.org>
Subject: Re: [Snort-users] Could not read appName. Line Snort Differs AppKey

Mike,


I removed the -q option.  Here's the full output from the AppId Configuration:

=================================================
AppId Configuration
    Detector Path:          /usr/local/lib
    appStats Files:         appstats-u2.log
    appStats Period:        60 secs
    appStats Rollover Size: 20971520 bytes
    appStats Rollover time: 86400 secs

Defaulting to monitoring all Snort traffic for AppID.
Adding 0x00000000-0xFFFFFFFF (0x00000038) with zone -1
Adding ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff (0x00000038) with zone -1
AppInfo: AppId 4109 is UNKNOWN
AppInfo: AppId 4043 is UNKNOWN
AppInfo: AppId 473 is UNKNOWN
AppInfo: AppId 4385 is UNKNOWN
AppInfo: AppId 4387 is UNKNOWN
AppInfo: AppId 4387 is UNKNOWN
Invalid direct client application AppId, 4075, for 0x7f97c78ec700 0x5599a3133e00
AppInfo: AppId 4075 is UNKNOWN
AppInfo: AppId 503 is UNKNOWN
AppInfo: AppId 503 is UNKNOWN
AppInfo: AppId 503 is UNKNOWN
AppInfo: AppId 503 is UNKNOWN
Invalid direct client application AppId, 2634, for 0x7f97c78ec700 0x5599a314cbc0
AppInfo: AppId 2634 is UNKNOWN
AppInfo: AppId 4115 is UNKNOWN
AppInfo: AppId 4385 is UNKNOWN
AppInfo: AppId 4387 is UNKNOWN
Invalid direct client application AppId, 4126, for 0x7f97c78ec700 0x5599a3198520
AppInfo: AppId 4126 is UNKNOWN
    3rd Party Dir: /usr/local/lib/thirdparty
    Monitoring Networks for any zone:
        0.0.0.0-255.255.255.255 0038
        ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 0038
    Excluded TCP Ports for Src:
    Excluded TCP Ports for Dst:
    Excluded UDP Ports Src:
    Excluded UDP Ports Dst:
WARNING: Directory /usr/local/lib/thirdparty does not exist.
=================================================

I also attached the full output, just in case.


Warm Regards,
Damian


On Fri, Aug 3, 2018 at 10:31 AM, Mike Stepanek (mstepane) <mstepane at cisco.com<mailto:mstepane at cisco.com>> wrote:
There was a similar discussion here... but it was never really conclusive whether that was the actual fatal error or not:

    https://lists.snort.org/pipermail/snort-users/2018-July/071578.html

Would you be able to post the entire output from Snort, so we can take more of a look?

FYI, to fix that one issue, you can just remove the bogus first line of appMapping.data from your ODP install.

- Mike Stepanek
   mstepane at cisco.com<mailto:mstepane at cisco.com>

From: Snort-users <snort-users-bounces at lists.snort.org<mailto:snort-users-bounces at lists.snort.org>> on behalf of Damian Torres via Snort-users <snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>>
Reply-To: Damian Torres <datorr2 at gmail.com<mailto:datorr2 at gmail.com>>
Date: Thursday, August 2, 2018 at 8:55 PM
To: Snort-Users <snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>>
Subject: [Snort-users] Could not read appName. Line Snort Differs AppKey

Greetings.


I am currently working on trying to add OpenAppID support for my Snort installation, and I think I almost have it working.  However, I am receiving these errors and I'm not sure what to do to fix.

=== Error Output ===
Could not read appName. Line Snort Differs AppKey vmware-remote-auth -> vmware-remote-a
AppInfo: AppId 4109 is UNKNOWN
AppInfo: AppId 4043 is UNKNOWN
AppInfo: AppId 503 is UNKNOWN
AppInfo: AppId 503 is UNKNOWN
AppInfo: AppId 503 is UNKNOWN
AppInfo: AppId 503 is UNKNOWN
AppInfo: AppId 473 is UNKNOWN
AppInfo: AppId 4385 is UNKNOWN
AppInfo: AppId 4387 is UNKNOWN
AppInfo: AppId 4387 is UNKNOWN
AppInfo: AppId 4385 is UNKNOWN
AppInfo: AppId 4387 is UNKNOWN
AppInfo: AppId 4115 is UNKNOWN
Invalid direct client application AppId, 4126, for 0x7f9850a09700 0x5603a0b58520
AppInfo: AppId 4126 is UNKNOWN
Invalid direct client application AppId, 4075, for 0x7f9850a09700 0x5603a0af3e00
AppInfo: AppId 4075 is UNKNOWN
Invalid direct client application AppId, 2634, for 0x7f9850a09700 0x5603a0b0cbc0
AppInfo: AppId 2634 is UNKNOWN
====================

I have Google'd this and haven't been able to find anything, other than someone else having a similar issue a few months ago, who received no response.

http://seclists.org/snort/2018/q2/336

Any help would be much appreciated.  Thank you.


Warm Regards,
Damian


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20180816/404b0ce6/attachment-0001.html>


More information about the Snort-openappid mailing list