• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

SNORT OpenAppID detectors package

Scheduled Pinned Locked Moved IDS/IPS
9 Posts 5 Posters 9.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    panz
    last edited by Mar 27, 2015, 10:58 AM

    Hi,

    I'm trying to find a good documentation / tutorial for OpenAppID detectors setup. I didn't notice this engine before…

    pfSense 2.3.2-RELEASE-p1 (amd64)
    motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

    1 Reply Last reply Reply Quote 0
    • F
      fsansfil
      last edited by Mar 27, 2015, 1:15 PM

      Theres not much info on it.

      What you need is download the Snort ruleset and find the appMapping.data file. The file contains all appIDs.

      It will look like this:

      630 Facebook Chat 0 0 82 ~ fb_chat
      631 Facebook Comment 0 0 83 ~ fb_comment
      632 Premier Football 0 0 97 ~ premier_footbal
      633 Facebook Read Email 0 0 85 ~ fb_read_email
      634 Facebook Send Email 0 0 86 ~ fb_send_email
      635 Facebook Status Update 0 0 84 ~ fb_status
      649 GameSpy 0 0 228 ~ gamespy
      650 GameStop 0 0 122 ~ gamestop
      651 GameTrailers 0 0 229 ~ gametrai

      Then you can create rule with the appid keyword. Like this:

      Block Facebook Chat
      alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"Block Facebook Chat"; appid: fb_chat; classtype:policy-violation; sid:888999; rev:1;)

      SSH not on port 22…
      alert ip any any -> any !22 (msg:"SSH not on port 22…"; appid: ssh openssh; classtype:policy-violation; sid:888999; rev:1;)

      Port 22 but not SSH…
      alert ip any any -> any 22 (msg:"Port 22 but not SSH"; appid: !ssh !openssh; classtype:policy-violation; sid:888999; rev:1;)

      Sky is the limit…

      To check what Apps are on the interface w/o rule ? activate appID in the Snort GUI, go to Snort: WAN logs and select app-stats.log.

      F.

      1 Reply Last reply Reply Quote 1
      • B
        bmeeks
        last edited by Mar 27, 2015, 8:31 PM

        You can find the file fsansfil mentioned on this path:

        /usr/pbi/snort-amd64/etc/snort/appid/

        and then navigate down into that path.

        The files in that folder are updated with each Snort rules update when you enable OpenAppID rules download on the GLOBAL SETTINGS tab.  The path above is for 64-bit pfSense.  If you have a 32-bit install, just change amd64 to i386.

        Bill

        1 Reply Last reply Reply Quote 0
        • P
          panz
          last edited by Mar 28, 2015, 10:46 AM

          I hoped there was a method to setup the thing using the GUI :(

          pfSense 2.3.2-RELEASE-p1 (amd64)
          motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

          1 Reply Last reply Reply Quote 0
          • B
            bmeeks
            last edited by Mar 28, 2015, 4:30 PM Mar 28, 2015, 3:50 PM

            @panz:

            I hoped there was a method to setup the thing using the GUI :(

            Right now nobody publishes any kind of "canned rules" for OpenAppID.  So everything has to be done using Custom Rules.  You create those on the RULES tab.  In the Category drop-down at the top of the tab, choose custom.rules.  That will open a text area window where you can type the custom rules.  @fsansfil provided some good examples to get started.  One warning if you use his examples verbatim!  For simplicity he showed all his examples using the same SID.  Each rule must have its own unique SID.

            As stated by others, the documentation for using OpenAppID is still sparse.  The Cisco/Sourcefire team decided to release the technology to open-source, but I guess they did not want to dedicate a bunch of time to producing detailed documentation for it.

            Bill

            1 Reply Last reply Reply Quote 0
            • S
              snm777
              last edited by Mar 30, 2015, 1:10 PM

              @fsansfil:

              To check what Apps are on the interface w/o rule ? activate appID in the Snort GUI, go to Snort: WAN logs and select app-stats.log.

              F.

              Question - I have SNORT enabled (but set NOT to block) on both a LAN and WAN port on a fairly busy firewall.  It's been about 20 minutes since I enabled OpenAppID and downloaded the list - how long before I should start to see the app-stats.log fill?  To be clear I did not write any rules, I am looking to report on "what's there."
              Both my LAN and WAN logs state that
              "Log file does not exist or that logging feature is not enabled." and the Log File Path is blank.

              1 Reply Last reply Reply Quote 0
              • F
                fsansfil
                last edited by Mar 30, 2015, 6:17 PM Mar 30, 2015, 6:11 PM

                You can change the AppID Stats logging under the Preprocs tab…Where you enabled it.

                I put mine at 3600 secs. I would also force an update to be sure you download the AppID definitions, since you just enable it.

                and make sure you have checked Enable OpenAppID statistics Logging.

                F.

                1 Reply Last reply Reply Quote 0
                • J
                  jeffhammett
                  last edited by Apr 9, 2015, 11:03 PM

                  @fsansfil:

                  Port 22 but not SSH…
                  alert ip any any -> any 22 (msg:"Port 22 but not SSH"; appid: !ssh !openssh; classtype:policy-violation; sid:888999; rev:1;)

                  F.

                  Have you been able to get rules with negated appid keywords like this to work? I have written rules similar to the above for various protocols, but none with negated appid's ever alert.

                  1 Reply Last reply Reply Quote 0
                  • F
                    fsansfil
                    last edited by Apr 10, 2015, 1:44 AM

                    Been busy with Suricata lately, havent played with Snort in some time, but you are right. My fault. As of now you cant negate the appID part. But you can negate src, dst, ports as usual. For an example these rules would trigger;

                    alert tcp $HOME_NET any -> $EXTERNAL_NET ![80,8080] (msg:"HTTP Port Unauthorized"; appid: http; classtype:policy-violation; sid:12171008; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET !443 (msg:"HTTPS Port Unauthorized"; appid: https; classtype:policy-violation; sid:12171009; rev:1;)

                    appID is really a work in progress and its not voodoo magic, most of the detection script are just looking for cert, protocol, etc…but I guess thats why they made it Open, it will grow and refine itself pretty fast with the community.

                    Cheers.

                    F.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received