Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SNORT OpenAppID detectors package

    Scheduled Pinned Locked Moved
    IDS/IPS
    5
    9
    8.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • panzP
      panz
      last edited by

      Hi,

      I'm trying to find a good documentation / tutorial for OpenAppID detectors setup. I didn't notice this engine before…

      pfSense 2.3.2-RELEASE-p1 (amd64)
      motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

      1 Reply Last reply Reply Quote 0
      • F
        fsansfil
        last edited by

        Theres not much info on it.

        What you need is download the Snort ruleset and find the appMapping.data file. The file contains all appIDs.

        It will look like this:

        630 Facebook Chat 0 0 82 ~ fb_chat
        631 Facebook Comment 0 0 83 ~ fb_comment
        632 Premier Football 0 0 97 ~ premier_footbal
        633 Facebook Read Email 0 0 85 ~ fb_read_email
        634 Facebook Send Email 0 0 86 ~ fb_send_email
        635 Facebook Status Update 0 0 84 ~ fb_status
        649 GameSpy 0 0 228 ~ gamespy
        650 GameStop 0 0 122 ~ gamestop
        651 GameTrailers 0 0 229 ~ gametrai

        Then you can create rule with the appid keyword. Like this:

        Block Facebook Chat
        alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"Block Facebook Chat"; appid: fb_chat; classtype:policy-violation; sid:888999; rev:1;)

        SSH not on port 22…
        alert ip any any -> any !22 (msg:"SSH not on port 22…"; appid: ssh openssh; classtype:policy-violation; sid:888999; rev:1;)

        Port 22 but not SSH…
        alert ip any any -> any 22 (msg:"Port 22 but not SSH"; appid: !ssh !openssh; classtype:policy-violation; sid:888999; rev:1;)

        Sky is the limit…

        To check what Apps are on the interface w/o rule ? activate appID in the Snort GUI, go to Snort: WAN logs and select app-stats.log.

        F.

        1 Reply Last reply Reply Quote 1
        • bmeeksB
          bmeeks
          last edited by

          You can find the file fsansfil mentioned on this path:

          /usr/pbi/snort-amd64/etc/snort/appid/

          and then navigate down into that path.

          The files in that folder are updated with each Snort rules update when you enable OpenAppID rules download on the GLOBAL SETTINGS tab.  The path above is for 64-bit pfSense.  If you have a 32-bit install, just change amd64 to i386.

          Bill

          1 Reply Last reply Reply Quote 0
          • panzP
            panz
            last edited by

            I hoped there was a method to setup the thing using the GUI :(

            pfSense 2.3.2-RELEASE-p1 (amd64)
            motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              @panz:

              I hoped there was a method to setup the thing using the GUI :(

              Right now nobody publishes any kind of "canned rules" for OpenAppID.  So everything has to be done using Custom Rules.  You create those on the RULES tab.  In the Category drop-down at the top of the tab, choose custom.rules.  That will open a text area window where you can type the custom rules.  @fsansfil provided some good examples to get started.  One warning if you use his examples verbatim!  For simplicity he showed all his examples using the same SID.  Each rule must have its own unique SID.

              As stated by others, the documentation for using OpenAppID is still sparse.  The Cisco/Sourcefire team decided to release the technology to open-source, but I guess they did not want to dedicate a bunch of time to producing detailed documentation for it.

              Bill

              1 Reply Last reply Reply Quote 0
              • S
                snm777
                last edited by

                @fsansfil:

                To check what Apps are on the interface w/o rule ? activate appID in the Snort GUI, go to Snort: WAN logs and select app-stats.log.

                F.

                Question - I have SNORT enabled (but set NOT to block) on both a LAN and WAN port on a fairly busy firewall.  It's been about 20 minutes since I enabled OpenAppID and downloaded the list - how long before I should start to see the app-stats.log fill?  To be clear I did not write any rules, I am looking to report on "what's there."
                Both my LAN and WAN logs state that
                "Log file does not exist or that logging feature is not enabled." and the Log File Path is blank.

                1 Reply Last reply Reply Quote 0
                • F
                  fsansfil
                  last edited by

                  You can change the AppID Stats logging under the Preprocs tab…Where you enabled it.

                  I put mine at 3600 secs. I would also force an update to be sure you download the AppID definitions, since you just enable it.

                  and make sure you have checked Enable OpenAppID statistics Logging.

                  F.

                  1 Reply Last reply Reply Quote 0
                  • J
                    jeffhammett
                    last edited by

                    @fsansfil:

                    Port 22 but not SSH…
                    alert ip any any -> any 22 (msg:"Port 22 but not SSH"; appid: !ssh !openssh; classtype:policy-violation; sid:888999; rev:1;)

                    F.

                    Have you been able to get rules with negated appid keywords like this to work? I have written rules similar to the above for various protocols, but none with negated appid's ever alert.

                    1 Reply Last reply Reply Quote 0
                    • F
                      fsansfil
                      last edited by

                      Been busy with Suricata lately, havent played with Snort in some time, but you are right. My fault. As of now you cant negate the appID part. But you can negate src, dst, ports as usual. For an example these rules would trigger;

                      alert tcp $HOME_NET any -> $EXTERNAL_NET ![80,8080] (msg:"HTTP Port Unauthorized"; appid: http; classtype:policy-violation; sid:12171008; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET !443 (msg:"HTTPS Port Unauthorized"; appid: https; classtype:policy-violation; sid:12171009; rev:1;)

                      appID is really a work in progress and its not voodoo magic, most of the detection script are just looking for cert, protocol, etc…but I guess thats why they made it Open, it will grow and refine itself pretty fast with the community.

                      Cheers.

                      F.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post