OpenApp ID alerts not displaying
-
I have configured pfSense with Snort and OpenApp ID, I have enable Sourcefire OpenAppID Detectors and APPID Open rules on the Global Settings. Additionally have enabled OpenAppID to detect various applications and OpenAppID statistics logging for the specific interface desired. And have restarted the snort interface multiple times. This pfSense machine is running on a Hyper-V Server 2019 host with 4GBs of RAM. Any other ideals where to check to solve this? Thanks.
-
Did you also enable one or more of the various OpenAppID rule categories on the CATEGORIES tab and did you enable the OpenAppID preprocessor on the PREPROCESSORS tab?
You must do several things to use OpenAppID. See the docs here: https://docs.netgate.com/pfsense/en/latest/ids-ips/setup-snort-package.html#application-id-detection-with-openapp-id.
-
The OpenAppID preprocessor is enable, however I am using the Security IPS selection group so I am not manually selecting the categories. I guess I can't use the IPS selection groups?
-
So I change the setting from IPS Selection group to manual configuration and was able to start logging App info. Thanks for the recommendation and will be looking into the possibility of customizing the IPS selection groups.
