Unable to get OpenAppID alerts to show up
-
Hi folks! I'm having trouble getting OpenAppID Alerts for Snort to show up using pfsense 2.4.5-RELEASE-p1 and snort 3.2.9.14_1. I've added my LAN interface as a snort interface, I've Enabled OpenAppID and Enable RULES OpenAppID under Global Settings for and downloaded the latest rules in the Update tab (they have today's date on them, and an MD5 sig). Under the LAN categories for the LAN snort interface, I've turned on openappid-webbrowser.rules and openappid-social_networking.rules just to test if it's working. then under the LAN Preprocs tab, under Application ID Detection, I've turned on "Use OpenAppID to detect various applications" and also "AppID Status Logging". When I start Snort on the interface, I get things in app-stats.log but nothing in app-alerts and nothing shows up in the Alerts tab for the interface. Sample entry from app-stats, showing to me that it is in fact identifying things:
statTime="1598369700",appName="Alibaba",txBytes="1835",rxBytes="0" statTime="1598369700",appName="Scorecard Research",txBytes="4724",rxBytes="0" statTime="1598369700",appName="The Atlantic",txBytes="1658",rxBytes="0" statTime="1598369700",appName="Android.com",txBytes="1802",rxBytes="0" statTime="1598369700",appName="Nexage",txBytes="77733",rxBytes="0" statTime="1598369700",appName="Evidon",txBytes="4052",rxBytes="0" statTime="1598369700",appName="Moat",txBytes="3665",rxBytes="0" statTime="1598369700",appName="Office 365",txBytes="831",rxBytes="0" statTime="1598369700",appName="Blizzard",txBytes="21126038",rxBytes="32614" statTime="1598369700",appName="Battle.net site",txBytes="1357",rxBytes="0" statTime="1598369700",appName="Playstation Games",txBytes="563",rxBytes="0" statTime="1598369700",appName="F-secure",txBytes="3680",rxBytes="0"
So why isn't it alerting on them? I've read all the instructions a bunch of times and I thought it was supposed to alert.... also watched several YouTube videos and I'm stumped. I hope I'm being dumb :)
The only alerts I'm getting in the alerts tab are all http_inspect alerts, for instance (http_inspect) UNKNOWN METHOD.
This is on a live network with a lot of student traffic - this is the NAT device for said network.
Any suggestions would be appreciated. Thanks so much in advance!
-
You need to examine the actual rules you have enabled to see if any are configured to actually alert on the specific traffic you are seeking. The text rules that actually generate the alerts were created by a volunteer at a university in Brazil several years ago. I don't think that user is actively maintaining those rules any longer. Quite some time back the pfSense team agreed to host the rules archive file for him, but that's it. The pfSense team does not update the file.
So short version of long story is that perhaps there are no active rules in place to actually alert on the traffic the stats log is showing. You can create your own OpenAppID text rules and enter them into the Custom Rules category on the RULES tab.
-
Thanks, bmeeks, but I don't think that's it - they appear to be being actively maintained (I got an update to them today, in fact), and pfsense has documentation on how to use them ( https://www.netgate.com/blog/application-detection-on-pfsense-software.html ) and there are numerous example of people talking about getting them to work with this version of pfsense on YouTube and forums by doing what I say above. In addition, to take an example from my stats log, which says it identified battle.net, that rules says
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"battle_net";flow:from_client;appid:battle_net; sid:70380 ; classtype:misc-activity; rev:1;)
So they are configured to alert. I looked at many other rules in the set, and they also appear to be configured to alert... and they appear to be working, from the stats log - they're just not actually alerting, or those alerts aren't showing up in my Alerts tab.
And in addition, I've actually tried enabling a whole bunch of the ET rules, and also the snort app-detection rules, and on my other snort installations, those generate a TON of alerts... I'm still getting ONLY http_inspect alerts, so actually I think that all alerts except http_inspect ones are broken. Any ideas?
Thanks,
-Josiah -
If you are not getting other alerts (except for HTTP_INSPECT ones), my first suspicion is an incorrect HOME_NET and/or EXTERNAL_NET setup. Many rules require those two variables to be correctly set in order to alert properly.
Are there any VLANs in this setup? If so, VLANs can be problematic with detection.
Are you sure Snort has loaded the rules you have enabled? Have you tried restarting Snort on the interface in question?
-
It was wrong $HOME_NET! Thanks! I had to make an Alias in the Firewall pfsense (not inside snort) tab that was the internal networks I wanted to inspect, then set up a "Pass List" that included the Alias and auto-included all the locally-attached networks by checking off the boxes for them, THEN I had to go to interface settings, and I could choose the Pass List I made as "Home Net" under my LAN (the name of my interface I added to snort) Settings. Then I was inspecting what I wanted to. This should have been obvious to me from reading the rules, because as you say, they are mostly written to inspect traffic going from $HOME_NET to $EXTERNAL_NET. The weird part was that you can't just make an "IP List" like the docs say - you have to use a "Pass List" or it won't show up in the list of things you can choose for Home Net. Thanks much!!
-
@wmjosiah said in Unable to get OpenAppID alerts to show up:
It was wrong $HOME_NET! Thanks! I had to make an Alias in the Firewall pfsense (not inside snort) tab that was the internal networks I wanted to inspect, then set up a "Pass List" that included the Alias and auto-included all the locally-attached networks by checking off the boxes for them, THEN I had to go to interface settings, and I could choose the Pass List I made as "Home Net" under my LAN (the name of my interface I added to snort) Settings. Then I was inspecting what I wanted to. This should have been obvious to me from reading the rules, because as you say, they are mostly written to inspect traffic going from $HOME_NET to $EXTERNAL_NET. The weird part was that you can't just make an "IP List" like the docs say - you have to use a "Pass List" or it won't show up in the list of things you can choose for Home Net. Thanks much!!
Glad you found the problem. The current PHP code does expect all the IP lists used for Pass Lists, HOME_NET and EXTERNAL_NET to be defined on the PASS LIST tab. Perhaps a future update can make other list choices available.
-
@wmjosiah
Can I request you to post the specific steps you did. I am stuck at the same place. I am unable to see any applications even though I have turned on the OpenAppId.
Thanks -
So before we start, my problem was that my default $HOME_NET wasn't anywhere near broad enough, because of the configuration of my network. My network is fully NATed and includes all RFC1918 addresses, so since those RFC1918 hosts that are on non locally-attached networks are creating the traffic I want to inspect, and the default $HOME_NET is just locally attached networks, I did the following. If this isn't your problem, this won't help you, but here we go:
- I went to Firewall - Aliases and made an alias called InternalIPs that contained the RFC1918's: 172.16.0.0/12, 10.0.0.0/8, 192.168.0.0/16
- I went to Services - Snort - Pass Lists tab and created a new pass list , checked off all the auto-generated IP Addresses, and added my InternalIPs alias by name in the "Assigned Alias" field
- I then went to the Snort Interfaces Tab (under Services - Snort still) and under general settings for the relevant interface (LAN in my case), in "Home Net" under "Choose the Networks Snort Should Inspect and Whitelist" I chose the pass list I created in step 2, and also clicked "View List" and verified that all the networks I wanted to inspect traffic from were included. Save and then go back to Snort interfaces, stop and then start snort and see if stuff starts showing up.
Of course also check the normal stuff - both Sourcefire OpenAppID Detectors options checked off in Global Settings, up-to-date AppID signatures in the Updates tab, you've got the right rulesets selected in the <Interface Name> Categories tab, and you've got both options under Application ID in the <Interface name> Preprocs tab checked off.
Hope this helps!