Snort OpenAppID on the GUI



  • I know that currently we're able to script Snort 2.9.7.0 to block protocols and websites using OpenAppID preprocessors. Are there any plans to be able to turn the processors on and off using the GUI?



  • @Heli0s:

    I know that currently we're able to script Snort 2.9.7.0 to block protocols and websites using OpenAppID preprocessors. Are there any plans to be able to turn the processors on and off using the GUI?

    You can  already turn the entire preprocessor on or off, but I think you mean the individual OpenAppID rules.  Those are currently handled as custom rules, so to turn them on or off you manually edit the custom rules by going to the RULES tab and selecting "Custom Rules" in the category drop-down.  You must currently create your own OpenAppID text rules.

    The OpenAppID process works by defining Lua scripts that actually detect the various applications.  These are updated periodically from the Snort VRT web site as part of the other VRT rule updates when OpenAppID is enabled on the GLOBAL SETTINGS tab.  To actually have Snort detect and alert on a particular application, you must create a conventional text rule containing the "appid:" keyword.  You create those in the custom rules dialog as described earlier.

    Until someone releases a package of pre-defined OpenAppID text rules to match up with the definitions in the Lua scripts, the custom rules process will be needed.

    Bill



  • Is there a tutorial somewhere showing how to create these rules?



  • @Heli0s:

    Is there a tutorial somewhere showing how to create these rules?

    Here is a link to the original preview thread I created.  It has an example rule, and then a link to some Snort VRT Blog posts.  You may have already seen this, though:  https://forum.pfsense.org/index.php?topic=84227.0

    Other than at the Snort VRT Blog web site, I've seen no other example rules yet.  I think the technology is still a bit new.

    Bill



  • I think I understand the screenshot that has the rule, but just to clarify:

    • Where can I get the appid from?

    • What are the sid, classtype, and rev and where do I get them from?



  • @Heli0s:

    I think I understand the screenshot that has the rule, but just to clarify:

    • Where can I get the appid from?

    • What are the sid, classtype, and rev and where do I get them from?

    I don't remember the exact URL, but if you follow through those Snort VRT links in the Preview Thread I provided, you will see a small bash one-liner for dumping out all the available app IDs (names really).  Here is the command:

    Note: the path below assumes you have 64-bit architecture.  If you have a 32-bit install, substitute i386 for amd64 in the path.

    
    cat /usr/pbi/snort-amd64/etc/snort/appid/odp/appMapping.data | cut -f2
    
    

    The appMapping.data file is a text file containing the detected applications.  It contains the corresponding appID code in one of the columns.

    For custom rules, you make up your own SIDs.  Just use values from 900000 and up to be sure you don't step on any of the other rule set SIDs.  The key is just don't duplicate SIDs.  Each text rule must have a unique SID.  Choose any rev you want so long as it is a number.  I suggest "1".  The classtype value must be one of the classes listed in the file classification.config in the /usr/pbi/snort-amd64/etc/snort directory.  There is no specific one for app ID, so I just chose "Misc Activity".

    Bill



  • By the way, if you come up with a collection of working rules for OpenAppID that you think others would find useful, please share them here on the Forum.  This is a new technology, and group collaboration would be a good thing as folks learn and try it out.

    Bill


Log in to reply