Friday, April 4, 2014

OpenAppID Application Rules

In my last post I showed how to get the latest version of Snort up and running in order to explore our latest feature - OpenAppID. Here at Cisco we’ve released application detection as open source.
But the next part of application identification is application control.
The addition of OpenAppID also adds a new keyword to the Snort rules language. The appid keyword can be embedded in any rule to match only on traffic already identified as a specific application. 
This can be used to more easily write rules for a specific application. In some cases you can rely solely on the appid keyword instead of a series of flowbits to identify a specific protocol or application. The appid keyword can also be used to alert on and control application usage. 
For example, maybe you are easily distracted and need some help staying focusing. To this end, Facebook and Reddit should be blocked.
The first step is to confirm the correct appid names used for these sites. For this we must check the appMapping.data file. The seventh column of this file has the short app name that we need for our rule.
$ grep -i reddit appMapping.data |cut -f7
reddit
Now that I know the application name I can write my rule.
alert tcp any any -> any any (msg:”Too much noise”; appid: facebook reddit; sid:1000000; rev:1)
In order to confirm you have the correct appid name, search through the appMapping.data file.
Now let’s test the new rule. I reloaded my web browser and tried Reddit.
Also packaged in the tools subdirectory in the Snort source package is a program called u2spewfoo, which will all you to convert the unified2 binary alerts to readable text. This time we will examine the usual Snort log for rules that have alerted, instead of the application statistics file we looked at before.
u2spewfoo snort.log.1393812653
And then I get the following output.
(Event)
        sensor id: 0    event id: 2     event second: 1393813987        event microsecond: 466131
        sig id: 1000000 gen id: 1       revision: 1      classification: 0
        priority: 0     ip source: 23.0.160.16  ip destination: 192.168.115.183
        src port: 80    dest port: 42472        protocol: 6     impact_flag:
0  blocked: 0
        mpls label: 0   vland id: 0     policy id: 0    appid: reddit

Packet
        sensor id: 0    event id: 2     event second: 1393813987
        packet second: 1393813987       packet microsecond: 466131
        linktype: 1     packet_length: 281
[    0] 00 0C 29 FC 10 A5 00 50 56 FB 1F B8 08 00 45 00  ..)....PV.....E.
[   16] 01 0B 56 B4 00 00 80 06 F7 C8 17 00 A0 10 C0 A8  ..V.............
[   32] 73 B7 00 50 A5 E8 8C 05 0F 4B E0 AA D4 DD 50 18  s..P.....K....P.
[   48] FA F0 C6 F0 00 00 48 54 54 50 2F 31 2E 31 20 33  ......HTTP/1.1 3
[   64] 30 32 20 46 6F 75 6E 64 0D 0A 53 65 72 76 65 72  02 Found..Server
[   80] 3A 20 41 6B 61 6D 61 69 47 48 6F 73 74 0D 0A 4C  : AkamaiGHost..L
[   96] 6F 63 61 74 69 6F 6E 3A 20 68 74 74 70 3A 2F 2F  ocation: http://
[  112] 77 77 77 2E 72 65 64 64 69 74 2E 63 6F 6D 2F 0D  www.reddit.com/.
[  128] 0A 44 61 74 65 3A 20 4D 6F 6E 2C 20 30 33 20 4D  .Date: Mon, 03 M
[  144] 61 72 20 32 30 31 34 20 30 32 3A 33 33 3A 30 37  ar 2014 02:33:07
[  160] 20 47 4D 54 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65   GMT..Content-Le
[  176] 6E 67 74 68 3A 20 30 0D 0A 56 69 61 3A 20 31 2E  ngth: 0..Via: 1.
[  192] 31 20 72 74 70 31 30 2D 64 6D 7A 2D 77 73 61 2D  1 rtp10-dmz-wsa-
[  208] 31 2E 63 69 73 63 6F 2E 63 6F 6D 3A 38 30 20 28  1.cisco.com:80 (
[  224] 43 69 73 63 6F 2D 49 72 6F 6E 50 6F 72 74 2D 57  Cisco-IronPort-W
[  240] 53 41 2F 37 2E 35 2E 32 2D 31 31 38 29 0D 0A 43  SA/7.5.2-118)..C
[  256] 6F 6E 6E 65 63 74 69 6F 6E 3A 20 6B 65 65 70 2D  onnection: keep-
[  272] 61 6C 69 76 65 0D 0A 0D 0A                       alive....

(ExtraDataHdr)
        event type: 4   event length: 33

(ExtraData)
        sensor id: 0    event id: 2     event second: 1393813987
        type: 9 datatype: 1     bloblength: 9   HTTP URI: /

(ExtraDataHdr)
        event type: 4   event length: 42

(ExtraData)
        sensor id: 0    event id: 2     event second: 1393813987
        type: 10        datatype: 1     bloblength: 18  HTTP Hostname: reddit.com
In addition to the usual data (source IP address, time, protocol, etc.) you will see the new appid field is listed in this event.
While not new to this version of Snort, I think it’s worth pointing out the two extra data fields that show us the HTTP URI and hostname. If you’ve been relying on some older tools to parse your unified data for you, you may not know that this data is available.
Now all I have to do is change my rule from alert to drop and reload Snort and I’ll have a better chance at avoiding distraction!

Happy Snorting! Let us know in the comments how you’re using the latest visibility and control into the application layer.

2 comments:

  1. I installed OpenAppID on Centos 6. It seems to be working fine but shows only HTTP, HTTPS, DNS type apps although I am using Browser for Twitter, Facebook etc.

    statTime="1397339720",appName="https",txBytes="236",rxBytes="1256"
    statTime="1397339870",appName="https",txBytes="182",rxBytes="1577"
    statTime="1397339630",appName="https",txBytes="182",rxBytes="1913"
    statTime="1397339970",appName="https",txBytes="182",rxBytes="1461"
    statTime="1397339870",appName="https",txBytes="344",rxBytes="728"
    statTime="1397340060",appName="https",txBytes="182",rxBytes="1656"
    statTime="1397340210",appName="https",txBytes="418",rxBytes="590"
    statTime="1397339950",appName="https",txBytes="236",rxBytes="1256"
    statTime="1397340210",appName="https",txBytes="182",rxBytes="1461"
    statTime="1397340210",appName="https",txBytes="310",rxBytes="1256"
    statTime="1397340220",appName="http",txBytes="614",rxBytes="8901"
    statTime="1397340250",appName="https",txBytes="182",rxBytes="1461"
    statTime="1397340210",appName="https",txBytes="688",rxBytes="1651"
    statTime="1397340260",appName="dhcp",txBytes="590",rxBytes="0"
    statTime="1397340260",appName="http",txBytes="506",rxBytes="8998"

    ReplyDelete
  2. Hi Rafeeq,

    Sorry it took me so long to notice your comment. Try disabling looking for checksums.

    ReplyDelete