Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort OpenAppID category logging

    IDS/IPS
    2
    5
    173
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Josef last edited by

      Hi All,
      I am using snort OpenAppID to track application usage and sending the syslogs to a graph solution.
      But the log only contains the SID and the application name - not the name of the category.

      For example, this rule comes from the 'openappid-social_networking.rules' category
      Dec 17 13:52:50 snort 1706 [1:70439:1] facebook [Classification: Misc activity] [Priority: 3] {TCP} 192.168.5.225:58045 -> 52.217.81.68:443

      The OpenAppID rule packs are grouped by category like social networking, gaming, business etc
      I would like the log entry to contain the name of the rule pack included in the log entry.
      is this possible?

      bmeeks 1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks @Josef last edited by bmeeks

        @josef said in Snort OpenAppID category logging:

        Hi All,
        I am using snort OpenAppID to track application usage and sending the syslogs to a graph solution.
        But the log only contains the SID and the application name - not the name of the category.

        For example, this rule comes from the 'openappid-social_networking.rules' category
        Dec 17 13:52:50 snort 1706 [1:70439:1] facebook [Classification: Misc activity] [Priority: 3] {TCP} 192.168.5.225:58045 -> 52.217.81.68:443

        The OpenAppID rule packs are grouped by category like social networking, gaming, business etc
        I would like the log entry to contain the name of the rule pack included in the log entry.
        is this possible?

        Sorry, not possible. The choice of category names is a cosmetic grouping performed by the rules creator. When Snort actually loads rules into memory it does not record which file the rule came from, so that information (the category name) is not available in memory for the binary to even log. This is a limitation of the Snort binary and has nothing to do with the GUI package that manages it.

        J 1 Reply Last reply Reply Quote 1
        • J
          Josef @bmeeks last edited by

          @bmeeks Thanks for confirming

          bmeeks 1 Reply Last reply Reply Quote 0
          • bmeeks
            bmeeks @Josef last edited by

            @josef said in Snort OpenAppID category logging:

            @bmeeks Thanks for confirming

            It might be more work than you want to tackle, but the text rules portion of the OpenAppID process can be edited by the user. You can edit the message text to include whatever you want. So you could insert something that you could later key on in logging. Of course your edits would not survive an OpenAppID rules update unless you created some kind of fancy shell script you could run at the end of a rules update.

            J 1 Reply Last reply Reply Quote 0
            • J
              Josef @bmeeks last edited by

              @bmeeks "created some kind of fancy shell script" I'm not smart enough for that 😁
              But thanks for the suggestion.
              The other potential option is to use a lookup table on the backend log server.
              I am using Graylog and it has the ability to do that, so it would create a new column and populate the category based on the SID match in the lookup table.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post