[Snort-users] Help! OpenAPPid not detecting apps

James Lay jlay at ...13475...
Mon May 8 15:20:52 EDT 2017


Are you looking at the right unified file?  Appid creates it's own:

output alert_unified2: filename /var/log/snort/appid_events.u2, 
appid_event_types

James

On 2017-05-08 08:43, Fernando Pérez Cabrera wrote:
> Good day to all! I'm using Snort 2.9.9 on a Ubuntu 16.04. To test its
> correct behavior, I have it running with no rules (except the test
> rule). I have installed it with openappid support. As I understand,
> barnyard2 does NOT support openappid metadata in snort logs, so I
> don't have it running right now (please correct me if I'm wrong). I'm
> testing with Wikipedia but it happens with any other web page
> (google.com, facebook, reddit, etc...).
> 
> This is my test rule:
> 
> Ø  alert tcp  any any <> any any (msg:"wikipedia"; appid: wikipedia;
> sid:10000002; rev:001; classtype:unknown; GID:1;)
> This is my sid-msg.map
> 
> Ø  1 || 10000002 || 001 || unknown || 0 || Wikipedia Access
> 
> When I use Firefox to enter Wikipedia, I see that snort is correctly
> logging the packets but is referring to them as appid:HTTP. Why is it
> not recognizing Wikipedia? (or any other site for that matter). And of
> course no alert is logged because it doesn't detect appid: Wikipedia;
> 
> (Event)
>         sensor id: 0    event id: 1     event second: 1494254051
>  event microsecond: 454104
>         sig id: 18759   gen id: 1       revision: 4      
> classification: 2
>         priority: 3     ip source: x.x.x.x  ip destination: x.x.x.x
>         src port: 57312 dest port: 8080 protocol: 6     impact_flag: 0
>  blocked: 0
>         mpls label: 0   vland id: 0     policy id: 0    appid: HTTP
> 
> Packet
>         sensor id: 0    event id: 1     event second: 1494254051
>         packet second: 1494254051       packet microsecond: 454104
>         linktype: 1     packet_length: 269
> 
> [    0] 00 00 5E 00 01 01 00 71 C2 21 BD BC 08 00 45 00  
> ..^....q.!....E.
> [   16] 00 FF 46 C7 00 00 80 06 87 9B AC 15 00 11 C0 A8  
> ..F.............
> [   32] FE C7 DF E0 1F 90 C7 BC 26 EB 35 7C BB EC 50 18  
> ........&.5|..P.
> [   48] 01 00 3C 46 00 00 43 4F 4E 4E 45 43 54 20 65 6E  ..<F..CONNECT 
> en
> [   64] 2E 77 69 6B 69 70 65 64 69 61 2E 6F 72 67 3A 34  
> .wikipedia.org:4
> [   80] 34 33 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65  43 
> HTTP/1.1..Use
> [   96] 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61  r-Agent: 
> Mozilla
> [  112] 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54  /5.0 (Windows 
> NT
> [  128] 20 31 30 2E 30 3B 20 57 69 6E 36 34 3B 20 78 36 10.0; Win64; x6
> [  144] 34 3B 20 72 76 3A 35 32 2E 30 29 20 47 65 63 6B  4; rv:52.0) 
> Geck
> [  160] 6F 2F 32 30 31 30 30 31 30 31 20 46 69 72 65 66  o/20100101 
> Firef
> [  176] 6F 78 2F 35 32 2E 30 0D 0A 50 72 6F 78 79 2D 43  
> ox/52.0..Proxy-C
> [  192] 6F 6E 6E 65 63 74 69 6F 6E 3A 20 6B 65 65 70 2D  onnection: 
> keep-
> [  208] 61 6C 69 76 65 0D 0A 43 6F 6E 6E 65 63 74 69 6F  
> alive..Connectio
> [  224] 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A 48  n: 
> keep-alive..H
> [  240] 6F 73 74 3A 20 65 6E 2E 77 69 6B 69 70 65 64 69  ost: 
> en.wikipedi
> [  256] 61 2E 6F 72 67 3A 34 34 33 0D 0A 0D 0A           a.org:443....
> 
> (ExtraDataHdr)
>         event type: 4   event length: 52
> 
> (ExtraData)
>         sensor id: 0    event id: 1     event second: 1494254051
>         type: 9 datatype: 1     bloblength: 28  HTTP URI: 
> en.wikipedia.org:443
> 
> (ExtraDataHdr)
>         event type: 4   event length: 52
> 
> (ExtraData)
>         sensor id: 0    event id: 1     event second: 1494254051
>         type: 10        datatype: 1     bloblength: 28  HTTP Hostname:
> en.wikipedia.org:443
> 
> As you can see, it just displays appid:HTTP as if it could not read
> the header or parse the packed data? Someone please help!
> Best regards to all!
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!




More information about the Snort-users mailing list