Snort mailing list archives

Re: Help! OpenAPPid not detecting apps

From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 08 May 2017 13:20:52 -0600

Are you looking at the right unified file?  Appid creates it's own:

output alert_unified2: filename /var/log/snort/appid_events.u2, 
appid_event_types

James

On 2017-05-08 08:43, Fernando Pérez Cabrera wrote:

Good day to all! I'm using Snort 2.9.9 on a Ubuntu 16.04. To test its
correct behavior, I have it running with no rules (except the test
rule). I have installed it with openappid support. As I understand,
barnyard2 does NOT support openappid metadata in snort logs, so I
don't have it running right now (please correct me if I'm wrong). I'm
testing with Wikipedia but it happens with any other web page
(google.com, facebook, reddit, etc...).

This is my test rule:

Ø  alert tcp  any any <> any any (msg:"wikipedia"; appid: wikipedia;
sid:10000002; rev:001; classtype:unknown; GID:1;)
This is my sid-msg.map

Ø  1 || 10000002 || 001 || unknown || 0 || Wikipedia Access

When I use Firefox to enter Wikipedia, I see that snort is correctly
logging the packets but is referring to them as appid:HTTP. Why is it
not recognizing Wikipedia? (or any other site for that matter). And of
course no alert is logged because it doesn't detect appid: Wikipedia;

(Event)
        sensor id: 0    event id: 1     event second: 1494254051
 event microsecond: 454104
        sig id: 18759   gen id: 1       revision: 4      
classification: 2
        priority: 3     ip source: x.x.x.x  ip destination: x.x.x.x
        src port: 57312 dest port: 8080 protocol: 6     impact_flag: 0
 blocked: 0
        mpls label: 0   vland id: 0     policy id: 0    appid: HTTP

Packet
        sensor id: 0    event id: 1     event second: 1494254051
        packet second: 1494254051       packet microsecond: 454104
        linktype: 1     packet_length: 269

[    0] 00 00 5E 00 01 01 00 71 C2 21 BD BC 08 00 45 00  
..^....q.!....E.
[   16] 00 FF 46 C7 00 00 80 06 87 9B AC 15 00 11 C0 A8  
..F.............
[   32] FE C7 DF E0 1F 90 C7 BC 26 EB 35 7C BB EC 50 18  
........&.5|..P.
[   48] 01 00 3C 46 00 00 43 4F 4E 4E 45 43 54 20 65 6E  ..<F..CONNECT 
en
[   64] 2E 77 69 6B 69 70 65 64 69 61 2E 6F 72 67 3A 34  
.wikipedia.org:4
[   80] 34 33 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65  43 
HTTP/1.1..Use
[   96] 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61  r-Agent: 
Mozilla
[  112] 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54  /5.0 (Windows 
NT
[  128] 20 31 30 2E 30 3B 20 57 69 6E 36 34 3B 20 78 36 10.0; Win64; x6
[  144] 34 3B 20 72 76 3A 35 32 2E 30 29 20 47 65 63 6B  4; rv:52.0) 
Geck
[  160] 6F 2F 32 30 31 30 30 31 30 31 20 46 69 72 65 66  o/20100101 
Firef
[  176] 6F 78 2F 35 32 2E 30 0D 0A 50 72 6F 78 79 2D 43  
ox/52.0..Proxy-C
[  192] 6F 6E 6E 65 63 74 69 6F 6E 3A 20 6B 65 65 70 2D  onnection: 
keep-
[  208] 61 6C 69 76 65 0D 0A 43 6F 6E 6E 65 63 74 69 6F  
alive..Connectio
[  224] 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A 48  n: 
keep-alive..H
[  240] 6F 73 74 3A 20 65 6E 2E 77 69 6B 69 70 65 64 69  ost: 
en.wikipedi
[  256] 61 2E 6F 72 67 3A 34 34 33 0D 0A 0D 0A           a.org:443....

(ExtraDataHdr)
        event type: 4   event length: 52

(ExtraData)
        sensor id: 0    event id: 1     event second: 1494254051
        type: 9 datatype: 1     bloblength: 28  HTTP URI: 
en.wikipedia.org:443

(ExtraDataHdr)
        event type: 4   event length: 52

(ExtraData)
        sensor id: 0    event id: 1     event second: 1494254051
        type: 10        datatype: 1     bloblength: 28  HTTP Hostname:
en.wikipedia.org:443

As you can see, it just displays appid:HTTP as if it could not read
the header or parse the packed data? Someone please help!
Best regards to all!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest 
Snort news!


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Help! OpenAPPid not detecting apps Fernando Pérez Cabrera (May 08)
- Re: Help! OpenAPPid not detecting apps Nickolas Beam (May 08)
- Re: Help! OpenAPPid not detecting apps James Lay (May 08)