Snort OpenAppID log flooding


  • Hi all,

    I am using Snort with OpenAppID categories to monitor application usage.
    I configure 'Send Alerts to System Log' and then send system logs via remote syslog to Graylog.
    This works well but it appears to generate an alert log for each packet (as opposed to each connection).
    I will see multiple identical logs - with the same application, source port, source IP, destination port and destination IP.
    EG:
    Dec 17 13:52:50 snort 1706 [1:70856:1] https [Classification: Misc activity] [Priority: 3] {TCP} 192.168.5.225:58045 -> 52.217.81.68:443
    Dec 17 13:52:50 snort 1706 [1:70856:1] https [Classification: Misc activity] [Priority: 3] {TCP} 192.168.5.225:58045 -> 52.217.81.68:443
    Dec 17 13:52:50 snort 1706 [1:70856:1] https [Classification: Misc activity] [Priority: 3] {TCP} 192.168.5.225:58045 -> 52.217.81.68:443
    Dec 17 13:52:50 snort 1706 [1:70856:1] https [Classification: Misc activity] [Priority: 3] {TCP} 192.168.5.225:58045 -> 52.217.81.68:443
    So if I do something like a speedtest on my 300M connection, it will result in about 50K syslog messages.

    Is there a way to have Snort only log once per connection?
    I tried to use suppression rules - but the suppress option makes it not log at all and the rate limit option requires a SID to be specified.

    Thanks!!


  • @josef said in Snort OpenAppID log flooding:

    Hi all,

    I am using Snort with OpenAppID categories to monitor application usage.
    I configure 'Send Alerts to System Log' and then send system logs via remote syslog to Graylog.
    This works well but it appears to generate an alert log for each packet (as opposed to each connection).
    I will see multiple identical logs - with the same application, source port, source IP, destination port and destination IP.
    EG:
    Dec 17 13:52:50 snort 1706 [1:70856:1] https [Classification: Misc activity] [Priority: 3] {TCP} 192.168.5.225:58045 -> 52.217.81.68:443
    Dec 17 13:52:50 snort 1706 [1:70856:1] https [Classification: Misc activity] [Priority: 3] {TCP} 192.168.5.225:58045 -> 52.217.81.68:443
    Dec 17 13:52:50 snort 1706 [1:70856:1] https [Classification: Misc activity] [Priority: 3] {TCP} 192.168.5.225:58045 -> 52.217.81.68:443
    Dec 17 13:52:50 snort 1706 [1:70856:1] https [Classification: Misc activity] [Priority: 3] {TCP} 192.168.5.225:58045 -> 52.217.81.68:443
    So if I do something like a speedtest on my 300M connection, it will result in about 50K syslog messages.

    Is there a way to have Snort only log once per connection?
    I tried to use suppression rules - but the suppress option makes it not log at all and the rate limit option requires a SID to be specified.

    Thanks!!

    You must use the rate limit option to do this. And every rule has a unique SID. You can see it on the ALERTS tab. Currently the GUI does not offer a means to configure rate limits. You will need to do this by manually editing the Suppression List configured for the interface. You can manually edit the list on the SUPPRESS tab.


  • @bmeeks Thanks!
    Is there a way to configure a rate limit rule to cover all SID's?
    Otherwise I would need to create a rule for every SID relating to OpenAppID


  • @josef said in Snort OpenAppID log flooding:

    @bmeeks Thanks!
    Is there a way to configure a rate limit rule to cover all SID's?
    Otherwise I would need to create a rule for every SID relating to OpenAppID

    I don't know if thresholding accepts SID ranges or not. You will need to check the official Snort documentation for details. The Snort name for suppression is "rule thresholding". So in the Snort documentation you will find the rate limiting guidance under that section. There is also an official Snort mailing list you can sign up for. All of this can be found at https://www.snort.org.

    Oops! I need to correct myself a bit. When using the global thresholding (as with a Suppression List) you can only use SID:0 when means "all rules". You can specify a specific Generator ID (GID), though with OpenAppID that won't work (see farther below for why). The other thresholding is a per-rule thing that you add within the rule signature itself. That would mean editing the actual rules themselves. Details are here: https://www.snort.org/faq/readme-thresholding.

    One complicating issue with OpenAppID rules is they do not currently have their own unique Generator ID (GID). They get the generic GID 1. So identifying them is not as easy as it is for the preprocesor rules like HTTP_INSPECT, Sensitive Data and others. I once asked the Snort developer team, soon after OpenAppID was released, to consider creating a separate GID for them. To my knowledge that has not yet happened.


  • @bmeeks Ahhh - thank you. You have helped me greatly!
    This simple suppression rule has solved my problem
    threshold gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60
    Now I will only get 1 log per source IP to the same application within 60 seconds.

    The gui should perhaps be updated because it says "Valid keywords are 'suppress', 'event_filter' and 'rate_filter'."
    But actually threashold is also a valid keyword.

    Thanks!!


  • @josef said in Snort OpenAppID log flooding:

    @bmeeks Ahhh - thank you. You have helped me greatly!
    This simple suppression rule has solved my problem
    threshold gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60
    Now I will only get 1 log per source IP to the same application within 60 seconds.

    The gui should perhaps be updated because it says "Valid keywords are 'suppress', 'event_filter' and 'rate_filter'."
    But actually threashold is also a valid keyword.

    Thanks!!

    I will add "threshold" to the tip. I'm working on the Snort 2.9.17 update over the next few days.

    Note that gen_id 1, sig_id 0 will apply that threshold to all of your general rules. Probably not an issue for you, but just wanted to make sure you realize that. GID 1 is the ID for all the rules in all the user-configurable categories. There are some specialized GID values for the built-in Snort rules like HTTP_INSPECT and others. This is all explained in the official documention when looking up GID (Generator ID). This was why I asked the Snort team to consider creating that special GID for OpenAppID so those rules could be easily distinguished from all the other general text rules. But so far that feature has not been incorporated.