SNORT OpenAppID detectors package



  • Hi,

    I'm trying to find a good documentation / tutorial for OpenAppID detectors setup. I didn't notice this engine before…



  • Theres not much info on it.

    What you need is download the Snort ruleset and find the appMapping.data file. The file contains all appIDs.

    It will look like this:

    630 Facebook Chat 0 0 82 ~ fb_chat
    631 Facebook Comment 0 0 83 ~ fb_comment
    632 Premier Football 0 0 97 ~ premier_footbal
    633 Facebook Read Email 0 0 85 ~ fb_read_email
    634 Facebook Send Email 0 0 86 ~ fb_send_email
    635 Facebook Status Update 0 0 84 ~ fb_status
    649 GameSpy 0 0 228 ~ gamespy
    650 GameStop 0 0 122 ~ gamestop
    651 GameTrailers 0 0 229 ~ gametrai

    Then you can create rule with the appid keyword. Like this:

    Block Facebook Chat
    alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"Block Facebook Chat"; appid: fb_chat; classtype:policy-violation; sid:888999; rev:1;)

    SSH not on port 22…
    alert ip any any -> any !22 (msg:"SSH not on port 22…"; appid: ssh openssh; classtype:policy-violation; sid:888999; rev:1;)

    Port 22 but not SSH…
    alert ip any any -> any 22 (msg:"Port 22 but not SSH"; appid: !ssh !openssh; classtype:policy-violation; sid:888999; rev:1;)

    Sky is the limit…

    To check what Apps are on the interface w/o rule ? activate appID in the Snort GUI, go to Snort: WAN logs and select app-stats.log.

    F.



  • You can find the file fsansfil mentioned on this path:

    /usr/pbi/snort-amd64/etc/snort/appid/

    and then navigate down into that path.

    The files in that folder are updated with each Snort rules update when you enable OpenAppID rules download on the GLOBAL SETTINGS tab.  The path above is for 64-bit pfSense.  If you have a 32-bit install, just change amd64 to i386.

    Bill



  • I hoped there was a method to setup the thing using the GUI :(



  • @panz:

    I hoped there was a method to setup the thing using the GUI :(

    Right now nobody publishes any kind of "canned rules" for OpenAppID.  So everything has to be done using Custom Rules.  You create those on the RULES tab.  In the Category drop-down at the top of the tab, choose custom.rules.  That will open a text area window where you can type the custom rules.  @fsansfil provided some good examples to get started.  One warning if you use his examples verbatim!  For simplicity he showed all his examples using the same SID.  Each rule must have its own unique SID.

    As stated by others, the documentation for using OpenAppID is still sparse.  The Cisco/Sourcefire team decided to release the technology to open-source, but I guess they did not want to dedicate a bunch of time to producing detailed documentation for it.

    Bill



  • @fsansfil:

    To check what Apps are on the interface w/o rule ? activate appID in the Snort GUI, go to Snort: WAN logs and select app-stats.log.

    F.

    Question - I have SNORT enabled (but set NOT to block) on both a LAN and WAN port on a fairly busy firewall.  It's been about 20 minutes since I enabled OpenAppID and downloaded the list - how long before I should start to see the app-stats.log fill?  To be clear I did not write any rules, I am looking to report on "what's there."
    Both my LAN and WAN logs state that
    "Log file does not exist or that logging feature is not enabled." and the Log File Path is blank.



  • You can change the AppID Stats logging under the Preprocs tab…Where you enabled it.

    I put mine at 3600 secs. I would also force an update to be sure you download the AppID definitions, since you just enable it.

    and make sure you have checked Enable OpenAppID statistics Logging.

    F.



  • @fsansfil:

    Port 22 but not SSH…
    alert ip any any -> any 22 (msg:"Port 22 but not SSH"; appid: !ssh !openssh; classtype:policy-violation; sid:888999; rev:1;)

    F.

    Have you been able to get rules with negated appid keywords like this to work? I have written rules similar to the above for various protocols, but none with negated appid's ever alert.



  • Been busy with Suricata lately, havent played with Snort in some time, but you are right. My fault. As of now you cant negate the appID part. But you can negate src, dst, ports as usual. For an example these rules would trigger;

    alert tcp $HOME_NET any -> $EXTERNAL_NET ![80,8080] (msg:"HTTP Port Unauthorized"; appid: http; classtype:policy-violation; sid:12171008; rev:1;)
    alert tcp $HOME_NET any -> $EXTERNAL_NET !443 (msg:"HTTPS Port Unauthorized"; appid: https; classtype:policy-violation; sid:12171009; rev:1;)
    

    appID is really a work in progress and its not voodoo magic, most of the detection script are just looking for cert, protocol, etc…but I guess thats why they made it Open, it will grow and refine itself pretty fast with the community.

    Cheers.

    F.


Log in to reply