Snort OpenAppID category logging
-
Hi All,
I am using snort OpenAppID to track application usage and sending the syslogs to a graph solution.
But the log only contains the SID and the application name - not the name of the category.For example, this rule comes from the 'openappid-social_networking.rules' category
Dec 17 13:52:50 snort 1706 [1:70439:1] facebook [Classification: Misc activity] [Priority: 3] {TCP} 192.168.5.225:58045 -> 52.217.81.68:443The OpenAppID rule packs are grouped by category like social networking, gaming, business etc
I would like the log entry to contain the name of the rule pack included in the log entry.
is this possible? -
@josef said in Snort OpenAppID category logging:
Hi All,
I am using snort OpenAppID to track application usage and sending the syslogs to a graph solution.
But the log only contains the SID and the application name - not the name of the category.For example, this rule comes from the 'openappid-social_networking.rules' category
Dec 17 13:52:50 snort 1706 [1:70439:1] facebook [Classification: Misc activity] [Priority: 3] {TCP} 192.168.5.225:58045 -> 52.217.81.68:443The OpenAppID rule packs are grouped by category like social networking, gaming, business etc
I would like the log entry to contain the name of the rule pack included in the log entry.
is this possible?Sorry, not possible. The choice of category names is a cosmetic grouping performed by the rules creator. When Snort actually loads rules into memory it does not record which file the rule came from, so that information (the category name) is not available in memory for the binary to even log. This is a limitation of the Snort binary and has nothing to do with the GUI package that manages it.
-
@bmeeks Thanks for confirming
-
@josef said in Snort OpenAppID category logging:
@bmeeks Thanks for confirming
It might be more work than you want to tackle, but the text rules portion of the OpenAppID process can be edited by the user. You can edit the message text to include whatever you want. So you could insert something that you could later key on in logging. Of course your edits would not survive an OpenAppID rules update unless you created some kind of fancy shell script you could run at the end of a rules update.
-
@bmeeks "created some kind of fancy shell script" I'm not smart enough for that
But thanks for the suggestion.
The other potential option is to use a lookup table on the backend log server.
I am using Graylog and it has the ability to do that, so it would create a new column and populate the category based on the SID match in the lookup table.