Appinfo: Appid ___ is UNKNOWN???
-
@mcury It should still work with the old rules right even if no one supports it?
-
@JonathanLee said in Appinfo: Appid ___ is UNKNOWN???:
It should still work with the old rules right even if no one supports it?
Unfortunately I'm not the right user to answer that, I don't use appID since a long time.
-
@JonathanLee said in Appinfo: Appid ___ is UNKNOWN???:
@mcury It should still work with the old rules right even if no one supports it?
Edit:
Per @bmeeks , the package maintainer for the IPS/IDS group, the Appid rules haven't
been updated in years by the third party group that used to update them. -
I can see they still function under logs. Just seems to be missing some new items like amazon fire etc
-
@JonathanLee
I have mentioned in several previous replies to various threads on OpenAppID that the rule set used was originally provided for free by a University professor and his students from Brazil. They ceased maintaining the set of OpenAppID rules many years ago. Since that time, a large number of the rules no longer work for various reasons.The errors you see are because the latest OpenAppID rule stubs package produced by the upstream Snort VRT does not match up properly with the very old user-contributed set of OpenAppID text rules from that Brazilian University team.
OpenAppID requires both rules stubs (provided by the Snort team) AND individual user text rules (written and provided by the user) in order to function. You will need to manually create your own set of OpenAppID text rules. If you do this, and wish to share them and maintain them for others to use, that would be wonderful.
So far, I have not found a maintained public source of OpenAppID text rules. Nobody wants to take responsibility for that amount of work and not get paid for it. Without continually updated text rules, the OpenAppID function in Snort is of limited usefulness. The OpenAppID text rules package you can download on the GLOBAL SETTINGS tab is just meant to be a starter/tutorial set. These are the rules from that University project of many years ago.
-
@bmeeks is there any guides on how to fix the missing text entries? Or a example of one? Where would I find what reference AppId 4295 is for example?
-
@JonathanLee said in Appinfo: Appid ___ is UNKNOWN???:
@bmeeks is there any guides on how to fix the missing text entries? Or a example of one? Where would I find what reference AppId 4295 is for example?
Google would be your best friend here. There is some spotty (and unfortunately old) tutorial information out there to be found.
OpenAppID was something Cisco inherited when they bought Sourcefire several years ago. They decided to release it as open source. Prior to that, it had been one of the prime bread-and-butter items for Sourcefire when they marketed IPS hardware and associated software. My personal opinion is Cisco saw no big money in the Layer 7 detection market (or at least did not see how it fit well into their primarily hardware business), so they released it to open source.
The documentation out there on it is very sparse. The rules stubs depend on Lua code for the detection scripts.
-
@bmeeks I got this document a couple years ago. Is this useful to you? its from Sourcefire
OpenDetectorDeveloperGuide.pdf.zip
I don't know if this is any help or not
https://appid.cisco.com/home -
@JonathanLee said in Appinfo: Appid ___ is UNKNOWN???:
@bmeeks I got this document a couple years ago. Is this useful to you? its from Sourcefire
That document seems to primarily describe the process for writing new detector stubs instead of the text rules themselves..
Here is an old post from the Snort Blog describing how to use the feature: https://blog.snort.org/2014/03/firing-up-openappid.html.
This post, also from the Snort Blog several years ago, shows how to craft and use the required text rules for OpenAppID: https://blog.snort.org/2014/04/openappid-application-rules.html.
And one more link: https://blog.snort.org/2014/02/snort-2970-alpha-with-openappid-quick.html.
And here is a very old Netgate Forum post I created back when OpenAppID was first added to the Snort package: https://forum.netgate.com/topic/75930/snort-2-9-7-0-preview-of-new-openappid-feature. This was many pfSense versions ago. Notice how different the GUI looks in the screen caps
. -
@bmeeks Thanks for the information I appreciate you,
I know when we were training on the Palo Alto firewalls at Sierra College the Professor had play with Palo Alto's version called appID detect. Again the school had a paid student licence so we could use all the good rules. They had options like Facebook base and others you could enable to block if you needed. I am just confused does Snort if it is missing the rule for a unknown id? The text rule that is maintained by pfSense has many useable items.
(Files from pfSense maintained text file)
(New example of the Facebook reference)We actually were training on that old GUI version of pfSense most of it is the same as the new one. We also worked with the new one during a project.
-
Your post here https://forum.netgate.com/post/1034999 and
https://forum.netgate.com/topic/171140/appid-metadata-unknown
This was very helpful too I think you forgot about this one you list the paths to the text files
-
@bmeeks I created a list that matches the current rule stub.
Attached here. It works with custom area.
Sorcerer's code file -->> textrules2.txt
