OpenAPPID can't found any app.
-
I have install latest version snort.And I have download and enable openappid function.I check remote access this openappid.But I use anydesk.It's can't detect and no show on alert.How to setup it?
-
Did you follow all the steps shown in this guide: https://doc.pfsense.org/index.php/Setup_Snort_Package#Application_ID_detection_with_OpenApp_ID?
Bill
-
I have check on these options.But it's always not show it.
-
I suspect English is not your primary language, and I am struggling a bit to understand 100% what you are telling me. I think you mean that even after configuring OpenAppID per the linked guide you still are not seeing alerts for AnyDesk.
I am not the author of the OpenAppID rules archive. I do not know if there is a detection stub and corresponding text rule for that application. Both of those must exist for the application to be detected. Are you sure that specific application is present in the OpenAppID stubs from the Snort VRT and also has a corresponding text detection rule in the OpenAppID rules archive maintained by the volunteer contributor? You may need to create your own custom text rule to detect that application.
Bill
-
akong, try adding the following custom rule. Change the sid value if it conflicts with any of your existing sid values.
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"AnyDesk";flow:from_client;appid:anydesk; sid:1000055 ; classtype:misc-activity; rev:1;)