<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<div id="compose" contenteditable="true" style="padding-left: 16px; padding-right: 16px; padding-bottom: 8px;">
<div>I thought the "unknown" cases were for your custom detectors, that's why I asked about the location of the custom ones. Which version of the OpenAppID are you running? At my current setup, I don't see the same issue.</div>
<div><br>
</div>
<div>I don't have a computer at my disposal at the moment, will check your configs once I get a chance.</div>
<div><br>
</div>
<div>Can you explain more about the intermittent issue? Is it for specific apps? If so which apps are they? Facebook can be a difficult one to track and troubleshoot. If you can provide a pcap where this behavior is observed people can take a look at it.</div>
<div><br>
</div>
<div>Please post back to the list and not only to my email, this way you get faster and smarter help :)</div>
<div><br>
</div>
<div>YM<br>
<br>
<div class="acompli_signature">Sent from Mobile</div>
<br>
</div>
</div>
<div class="gmail_quote">_____________________________<br>
From: <a dir="ltr" href="mailto:valentin.giraud@...128..." x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="0">
valentin.giraud@...128...</a><br>
Sent: Monday, April 4, 2016 5:20 PM<br>
Subject: Re: [Snort-openappid] Fwd: [Snort-users] Open App Id<br>
To: Y M <<a dir="ltr" href="mailto:snort@...46..." x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="2">snort@...46...</a>><br>
<br>
<br>
Hi, Y M and thank you for your prompt reply !<br>
<br>
I wrote 2 detectors, but the "__unknown" problem was already here.<br>
I give you my "snort.conf" and detectors files. The path to the custom <br>
detectors is: "/usr/local/lib/openappid/custom/lua". I don't think the <br>
problem come from the path.<br>
<br>
One more question, do you have any idea why it work time to time?<br>
<br>
Sincerely,<br>
Valentin.<br>
<br>
<br>
Le 04.04.2016 15:48, Y M a écrit :<br>
> Hi Valentin,<br>
> <br>
> To my limited understanding, the "appMapping.data" contains statically<br>
> assigned IDs to app detectors. Static assignment is for AppIDs that<br>
> have been generated or vetted by the OpenAppID team, and is not meant<br>
> to be used for custom IDs.<br>
> <br>
> For custom IDs, it seems that the AppID engine will dynamically and<br>
> automatically assign an ID to your custom app detector on the fly when<br>
> you run Snort. Any, please correct me if my understanding is<br>
> completely off!<br>
> <br>
> Can you please tell me how you are generating the detectors? Also show<br>
> where your custom detectors are being saved on disk. This will help<br>
> troubleshoot why are you getting "__unknown" IDs.<br>
> <br>
> YM<br>
> <br>
> ________________________________________<br>
> From: Joel Esler <<a dir="ltr" href="mailto:jesler@...5..." x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="5">jesler@...5...</a>><br>
> Sent: Monday, April 4, 2016 12:35 PM<br>
> To: <a dir="ltr" href="mailto:snort-openappid@...84...t" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="7">
snort-openappid@lists.sourceforge.net</a><br>
> Subject: [Snort-openappid] Fwd: [Snort-users] Open App Id<br>
> <br>
> Forwarded message:<br>
> <br>
>> From: <a dir="ltr" href="mailto:valentin.giraud@...128..." x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="8">
valentin.giraud@...128...</a><br>
>> To: Snort Users <<a dir="ltr" href="mailto:snort-users@...51...s.sourceforge.net" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="9">snort-users@...12...rge.net</a>><br>
>> Subject: [Snort-users] Fwd: Open App Id<br>
>> Date: Mon, 4 Apr 2016 13:17:29 +0200<br>
>> <br>
>> <br>
>> <br>
>> -------- Courriel original --------<br>
>> Objet: Open App Id<br>
>> Date: 04.04.2016 11:07<br>
>> De: <a dir="ltr" href="mailto:valentin.giraud@...128..." x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="12">
valentin.giraud@...128...</a><br>
>> À: <a dir="ltr" href="mailto:snort-users@...75...et" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="13">
snort-users@lists.sourceforge.net</a><br>
>> <br>
>> Hi snort community,<br>
>> <br>
>> I am currently trying to write some detectors in lua for App Id.<br>
>> But there is 2 or 3 things that i need your help to understand.<br>
>> - In what way can i use the "appMapping.data"? Because i wrote some<br>
>> detector lua and they work without using it...<br>
>> - There is a lot of app that are not working really well, e.g when i<br>
>> go<br>
>> on "<a dir="ltr" href="http://www.facebook.com" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="14">www.facebook.com</a>" it works only time to time... Have you any idea<br>
>> ?<br>
>> - I have a lot of DNS and __unknown AppName, do you have any idea,<br>
>> where<br>
>> it could come from ?<br>
>> <br>
>> examples of a session:<br>
>> <br>
>> ********<br>
>> statTime="<a dir="ltr" href="tel:1459759980" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="15">1459759980</a>",appName="Firefox",txBytes="1125",rxBytes="1524"<br>
>> statTime="<a dir="ltr" href="tel:1459759980" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="16">1459759980</a>",appName="HTTP",txBytes="1125",rxBytes="1524"<br>
>> statTime="<a dir="ltr" href="tel:1459759980" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="17">1459759980</a>",appName="dayumBen",txBytes="1125",rxBytes="1524"<br>
>> statTime="<a dir="ltr" href="tel:1459759050" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="18">1459759050</a>",appName="DNS",txBytes="492",rxBytes="861"<br>
>> statTime="<a dir="ltr" href="tel:1459759070" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="19">1459759070</a>",appName="DNS",txBytes="553",rxBytes="1163"<br>
>> statTime="<a dir="ltr" href="tel:1459759190" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="20">1459759190</a>",appName="Firefox",txBytes="5600",rxBytes="12378"<br>
>> statTime="<a dir="ltr" href="tel:1459759190" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="21">1459759190</a>",appName="HTTP",txBytes="5600",rxBytes="12378"<br>
>> statTime="<a dir="ltr" href="tel:1459759190" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="22">1459759190</a>",appName="Squid",txBytes="5600",rxBytes="12378"<br>
>> statTime="<a dir="ltr" href="tel:1459759080" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="23">1459759080</a>",appName="DNS",txBytes="1296",rxBytes="2201"<br>
>> statTime="<a dir="ltr" href="tel:1459759090" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="24">1459759090</a>",appName="DNS",txBytes="219",rxBytes="396"<br>
>> statTime="<a dir="ltr" href="tel:1459759180" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="25">1459759180</a>",appName="Firefox",txBytes="14961",rxBytes="17045"<br>
>> statTime="<a dir="ltr" href="tel:1459759180" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="26">1459759180</a>",appName="HTTP",txBytes="14961",rxBytes="17045"<br>
>> statTime="<a dir="ltr" href="tel:1459759180" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="27">1459759180</a>",appName="Google<br>
>> Maps",txBytes="4340",rxBytes="6894"<br>
>> statTime="<a dir="ltr" href="tel:1459759180" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="28">1459759180</a>",appName="Bing<br>
>> Maps",txBytes="7549",rxBytes="7607"<br>
>> statTime="<a dir="ltr" href="tel:1459759190" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="29">1459759190</a>",appName="Google<br>
>> APIs",txBytes="5864",rxBytes="8620"<br>
>> statTime="<a dir="ltr" href="tel:1459759190" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="30">1459759190</a>",appName="Firefox",txBytes="35136",rxBytes="37202"<br>
>> statTime="<a dir="ltr" href="tel:1459759190" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="31">1459759190</a>",appName="HTTP",txBytes="35136",rxBytes="37202"<br>
>> statTime="<a dir="ltr" href="tel:1459759190" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="32">1459759190</a>",appName="Google<br>
>> Maps",txBytes="6535",rxBytes="3886"<br>
>> statTime="<a dir="ltr" href="tel:1459759190" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="33">1459759190</a>",appName="Bing<br>
>> Maps",txBytes="11167",rxBytes="12360"<br>
>> statTime="<a dir="ltr" href="tel:1459759190" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="34">1459759190</a>",appName="Google<br>
>> APIs",txBytes="3903",rxBytes="3202"<br>
>> statTime="<a dir="ltr" href="tel:1459759190" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="35">1459759190</a>",appName="Firefox",txBytes="3903",rxBytes="3202"<br>
>> statTime="<a dir="ltr" href="tel:1459759190" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="36">1459759190</a>",appName="HTTP",txBytes="3903",rxBytes="3202"<br>
>> statTime="<a dir="ltr" href="tel:1459759150" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="37">1459759150</a>",appName="DNS",txBytes="1299",rxBytes="2095"<br>
>> statTime="<a dir="ltr" href="tel:1459758980" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="38">1459758980</a>",appName="__unknown",txBytes="100",rxBytes="160"<br>
>> statTime="<a dir="ltr" href="tel:1459759160" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="39">1459759160</a>",appName="DNS",txBytes="219",rxBytes="396"<br>
>> <br>
>> ************<br>
>> <br>
>> Valentin.<br>
>> <br>
>> ------------------------------------------------------------------------------<br>
>> _______________________________________________<br>
>> Snort-users mailing list<br>
>> <a dir="ltr" href="mailto:Snort-users@lists.sourceforge.net" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="40">
Snort-users@lists.sourceforge.net</a><br>
>> Go to this URL to change user options or unsubscribe:<br>
>> <a dir="ltr" href="https://lists.sourceforge.net/lists/listinfo/snort-users" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="41">
https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
>> Snort-users list archive:<br>
>> <a dir="ltr" href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="42">
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br>
>> <br>
>> Please visit <a dir="ltr" href="http://blog.snort.org" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="43">
http://blog.snort.org</a> to stay current on all the latest<br>
>> Snort news!<br>
> <br>
> ------------------------------------------------------------------------------<br>
> _______________________________________________<br>
> Snort-openappid mailing list<br>
> <a dir="ltr" href="mailto:Snort-openappid@lists.sourceforge.net" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="44">
Snort-openappid@lists.sourceforge.net</a><br>
> <a dir="ltr" href="https://lists.sourceforge.net/lists/listinfo/snort-openappid" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="45">
https://lists.sourceforge.net/lists/listinfo/snort-openappid</a><br>
> <br>
> Please visit <a dir="ltr" href="http://blog.snort.org" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="46">
http://blog.snort.org</a> to stay current on all the latest <br>
> Snort news!<br>
<br>
<br>
</div>
</body>
</html>