Snort mailing list archives
Help! OpenAPPid not detecting apps
From: Fernando Pérez Cabrera <fernando.perez () datys cu>
Date: Mon, 8 May 2017 14:43:59 +0000
Good day to all! I'm using Snort 2.9.9 on a Ubuntu 16.04. To test its correct behavior, I have it running with no rules
(except the test rule). I have installed it with openappid support. As I understand, barnyard2 does NOT support
openappid metadata in snort logs, so I don't have it running right now (please correct me if I'm wrong). I'm testing
with Wikipedia but it happens with any other web page (google.com, facebook, reddit, etc...).
This is my test rule:
Ø alert tcp any any <> any any (msg:"wikipedia"; appid: wikipedia; sid:10000002; rev:001; classtype:unknown; GID:1;)
This is my sid-msg.map
Ø 1 || 10000002 || 001 || unknown || 0 || Wikipedia Access
When I use Firefox to enter Wikipedia, I see that snort is correctly logging the packets but is referring to them as
appid:HTTP. Why is it not recognizing Wikipedia? (or any other site for that matter). And of course no alert is logged
because it doesn't detect appid: Wikipedia;
(Event)
sensor id: 0 event id: 1 event second: 1494254051 event microsecond: 454104
sig id: 18759 gen id: 1 revision: 4 classification: 2
priority: 3 ip source: x.x.x.x ip destination: x.x.x.x
src port: 57312 dest port: 8080 protocol: 6 impact_flag: 0 blocked: 0
mpls label: 0 vland id: 0 policy id: 0 appid: HTTP
Packet
sensor id: 0 event id: 1 event second: 1494254051
packet second: 1494254051 packet microsecond: 454104
linktype: 1 packet_length: 269
[ 0] 00 00 5E 00 01 01 00 71 C2 21 BD BC 08 00 45 00 ..^....q.!....E.
[ 16] 00 FF 46 C7 00 00 80 06 87 9B AC 15 00 11 C0 A8 ..F.............
[ 32] FE C7 DF E0 1F 90 C7 BC 26 EB 35 7C BB EC 50 18 ........&.5|..P.
[ 48] 01 00 3C 46 00 00 43 4F 4E 4E 45 43 54 20 65 6E ..<F..CONNECT en
[ 64] 2E 77 69 6B 69 70 65 64 69 61 2E 6F 72 67 3A 34 .wikipedia.org:4
[ 80] 34 33 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 43 HTTP/1.1..Use
[ 96] 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 r-Agent: Mozilla
[ 112] 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 /5.0 (Windows NT
[ 128] 20 31 30 2E 30 3B 20 57 69 6E 36 34 3B 20 78 36 10.0; Win64; x6
[ 144] 34 3B 20 72 76 3A 35 32 2E 30 29 20 47 65 63 6B 4; rv:52.0) Geck
[ 160] 6F 2F 32 30 31 30 30 31 30 31 20 46 69 72 65 66 o/20100101 Firef
[ 176] 6F 78 2F 35 32 2E 30 0D 0A 50 72 6F 78 79 2D 43 ox/52.0..Proxy-C
[ 192] 6F 6E 6E 65 63 74 69 6F 6E 3A 20 6B 65 65 70 2D onnection: keep-
[ 208] 61 6C 69 76 65 0D 0A 43 6F 6E 6E 65 63 74 69 6F alive..Connectio
[ 224] 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A 48 n: keep-alive..H
[ 240] 6F 73 74 3A 20 65 6E 2E 77 69 6B 69 70 65 64 69 ost: en.wikipedi
[ 256] 61 2E 6F 72 67 3A 34 34 33 0D 0A 0D 0A a.org:443....
(ExtraDataHdr)
event type: 4 event length: 52
(ExtraData)
sensor id: 0 event id: 1 event second: 1494254051
type: 9 datatype: 1 bloblength: 28 HTTP URI: en.wikipedia.org:443
(ExtraDataHdr)
event type: 4 event length: 52
(ExtraData)
sensor id: 0 event id: 1 event second: 1494254051
type: 10 datatype: 1 bloblength: 28 HTTP Hostname: en.wikipedia.org:443
As you can see, it just displays appid:HTTP as if it could not read the header or parse the packed data? Someone please
help!
Best regards to all!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Help! OpenAPPid not detecting apps Fernando Pérez Cabrera (May 08)
- Re: Help! OpenAPPid not detecting apps Nickolas Beam (May 08)
- Re: Help! OpenAPPid not detecting apps James Lay (May 08)