Hi Damian,

 

We have identified the cause of the errors and will include the fix in a future release. Meanwhile, the upcoming OpenAppID detector package release (version 303) contains fix for the bogus message “Line Snort Differs AppKey”. Please let us know if you have any more issues.

 

Thanks,

Payal

 

 

From: "Mike Stepanek (mstepane)" <mstepane@cisco.com>
Date: Friday, August 3, 2018 at 1:54 PM
To: "FNU VUTLA HAREESH CHANDRA (hvutla)" <hvutla@cisco.com>, Payal Gupte <pgupte@cisco.com>
Cc: "Costas Kleopa (ckleopa)" <ckleopa@cisco.com>
Subject: FW: [Snort-users] Could not read appName. Line Snort Differs AppKey

 

Hareesh/Payal -

 

Can you guys help out on this one (somebody from your team)? I was looking into it... and then realized that it was Snort2 (I got distracted by the fact that it was similar to something recently seen on Snort3). Looking at the attached log, it looks like he's running OK. He just gets some AppID complaints at startup. If you have something (or need more from him), you should be able to reply right back to the snort-users list.

 

The first thing I saw was that warning about the bad line at the top of appMapping.data (which I think Cliff just fixed). That was the one that distracted me. :)

 

He's also seeing some of these...

 

AppInfo: AppId 4109 is UNKNOWN

 

I checked 4109, and it's not in the ODP active list, but we do have Lua detectors for it. There are a bunch more (below).

 

For the "Invalid direct client application" ones, I stopped looking once I realized it was Snort2.

 

- Mike

 

From: Damian Torres <datorr2@gmail.com>
Date: Friday, August 3, 2018 at 12:00 PM
To: "Mike Stepanek (mstepane)" <mstepane@cisco.com>, "snort-users@lists.snort.org" <snort-users@lists.snort.org>
Subject: Re: [Snort-users] Could not read appName. Line Snort Differs AppKey

 

Mike,

 

 

I removed the -q option.  Here's the full output from the AppId Configuration:

 

=================================================

AppId Configuration

    Detector Path:          /usr/local/lib

    appStats Files:         appstats-u2.log

    appStats Period:        60 secs

    appStats Rollover Size: 20971520 bytes

    appStats Rollover time: 86400 secs

 

Defaulting to monitoring all Snort traffic for AppID.

Adding 0x00000000-0xFFFFFFFF (0x00000038) with zone -1

Adding ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff (0x00000038) with zone -1

AppInfo: AppId 4109 is UNKNOWN

AppInfo: AppId 4043 is UNKNOWN

AppInfo: AppId 473 is UNKNOWN

AppInfo: AppId 4385 is UNKNOWN

AppInfo: AppId 4387 is UNKNOWN

AppInfo: AppId 4387 is UNKNOWN

Invalid direct client application AppId, 4075, for 0x7f97c78ec700 0x5599a3133e00

AppInfo: AppId 4075 is UNKNOWN

AppInfo: AppId 503 is UNKNOWN

AppInfo: AppId 503 is UNKNOWN

AppInfo: AppId 503 is UNKNOWN

AppInfo: AppId 503 is UNKNOWN

Invalid direct client application AppId, 2634, for 0x7f97c78ec700 0x5599a314cbc0

AppInfo: AppId 2634 is UNKNOWN

AppInfo: AppId 4115 is UNKNOWN

AppInfo: AppId 4385 is UNKNOWN

AppInfo: AppId 4387 is UNKNOWN

Invalid direct client application AppId, 4126, for 0x7f97c78ec700 0x5599a3198520

AppInfo: AppId 4126 is UNKNOWN

    3rd Party Dir: /usr/local/lib/thirdparty

    Monitoring Networks for any zone:

        0.0.0.0-255.255.255.255 0038

        ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 0038

    Excluded TCP Ports for Src:

    Excluded TCP Ports for Dst:

    Excluded UDP Ports Src:

    Excluded UDP Ports Dst:

WARNING: Directory /usr/local/lib/thirdparty does not exist.

=================================================

 

I also attached the full output, just in case.


 

Warm Regards,

Damian

 

 

On Fri, Aug 3, 2018 at 10:31 AM, Mike Stepanek (mstepane) <mstepane@cisco.com> wrote:

There was a similar discussion here... but it was never really conclusive whether that was the actual fatal error or not:

 

    https://lists.snort.org/pipermail/snort-users/2018-July/071578.html

 

Would you be able to post the entire output from Snort, so we can take more of a look?

 

FYI, to fix that one issue, you can just remove the bogus first line of appMapping.data from your ODP install.

 

- Mike Stepanek

   mstepane@cisco.com

 

From: Snort-users <snort-users-bounces@lists.snort.org> on behalf of Damian Torres via Snort-users <snort-users@lists.snort.org>
Reply-To: Damian Torres <
datorr2@gmail.com>
Date: Thursday, August 2, 2018 at 8:55 PM
To: Snort-Users <
snort-users@lists.snort.org>
Subject: [Snort-users] Could not read appName. Line Snort Differs AppKey

 

Greetings.

 

 

I am currently working on trying to add OpenAppID support for my Snort installation, and I think I almost have it working.  However, I am receiving these errors and I'm not sure what to do to fix.

 

=== Error Output ===

Could not read appName. Line Snort Differs AppKey vmware-remote-auth -> vmware-remote-a

AppInfo: AppId 4109 is UNKNOWN

AppInfo: AppId 4043 is UNKNOWN

AppInfo: AppId 503 is UNKNOWN

AppInfo: AppId 503 is UNKNOWN

AppInfo: AppId 503 is UNKNOWN

AppInfo: AppId 503 is UNKNOWN

AppInfo: AppId 473 is UNKNOWN

AppInfo: AppId 4385 is UNKNOWN

AppInfo: AppId 4387 is UNKNOWN

AppInfo: AppId 4387 is UNKNOWN

AppInfo: AppId 4385 is UNKNOWN

AppInfo: AppId 4387 is UNKNOWN

AppInfo: AppId 4115 is UNKNOWN

Invalid direct client application AppId, 4126, for 0x7f9850a09700 0x5603a0b58520

AppInfo: AppId 4126 is UNKNOWN

Invalid direct client application AppId, 4075, for 0x7f9850a09700 0x5603a0af3e00

AppInfo: AppId 4075 is UNKNOWN

Invalid direct client application AppId, 2634, for 0x7f9850a09700 0x5603a0b0cbc0

AppInfo: AppId 2634 is UNKNOWN

====================

 

I have Google'd this and haven't been able to find anything, other than someone else having a similar issue a few months ago, who received no response.

 

 

Any help would be much appreciated.  Thank you.


 

Warm Regards,

Damian