Snort Openappid not showing anything



  • I've just configured snort for IPS security profile on WAN and only the openappid set on LAN. I'm getting attack alerts from the WAN as would be expected, but nothing shows up on the LAN. It's as if openappid isn't working at all. And yes, I've configured it in the global settings, signed up for all the free profiles, etc. Let me know what else should be checked. The only thing I noticed I was getting a SPP_SIP error coming from my voip ATA, but I suppressed it. Don't know if that's appid or just some standard snort thing.



  • Did you enable the AppID preprocessor on the PREPROCESSORS tab for the interface where you are running Snort? If not, you will need to do that, save the configuration change, and then restart Snort on that interface.

    I believe, based on your post, that you have enabled BOTH sets of OpenAppID downloads on the GLOBAL SETTINGS tab. You need the free Snort OpenAppID rules stubs and then you also need the free OpenAppID detection rules.



  • Yes this was it! I didn't do it on the actual tab only on global, THANK YOU.

    A question though, how to do you quiet certain alerts by type? Like I don't need to know that an IP address is using Firefox 1000x a day.



  • Never mind, I just unchecked the category. Thanks.



  • Yep, you will find that OpenAppID generates a lot of noise. I would suggest carefully pruning the rule categories so that you are seeing only the specific traffic types you want to eliminate. For example, maybe Facebook stuff in a corporate network. OpenAppID will generate a lot of log alerts and will tend to completely dominate the info on the ALERTS tab. Unfortunately there is no way within the Snort binary at present to have OpenAppID log to a separate log file so those alerts could be isolated from all the others.