Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenAPPID can't found any app.

    IDS/IPS
    3
    5
    998
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      akong last edited by

      I have install latest version snort.And I have download and enable openappid function.I check remote access this openappid.But I use anydesk.It's can't detect and no show on alert.How to setup it?

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by

        Did you follow all the steps shown in this guide:  https://doc.pfsense.org/index.php/Setup_Snort_Package#Application_ID_detection_with_OpenApp_ID?

        Bill

        1 Reply Last reply Reply Quote 0
        • A
          akong last edited by

          I have check on these options.But it's always not show it.

          1 Reply Last reply Reply Quote 0
          • bmeeks
            bmeeks last edited by

            I suspect English is not your primary language, and I am struggling a bit to understand 100% what you are telling me.  I think you mean that even after configuring OpenAppID per the linked guide you still are not seeing alerts for AnyDesk.

            I am not the author of the OpenAppID rules archive.  I do not know if there is a detection stub and corresponding text rule for that application.  Both of those must exist for the application to be detected.  Are you sure that specific application is present in the OpenAppID stubs from the Snort VRT and also has a corresponding text detection rule in the OpenAppID rules archive maintained by the volunteer contributor?  You may need to create your own custom text rule to detect that application.

            Bill

            1 Reply Last reply Reply Quote 0
            • S
              silentnomad last edited by

              akong, try adding the following custom rule. Change the sid value if it conflicts with any of your existing sid values.

              alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"AnyDesk";flow:from_client;appid:anydesk; sid:1000055 ; classtype:misc-activity; rev:1;)
              
              1 Reply Last reply Reply Quote 0
              • First post
                Last post