We are also introducing a new keyword called 'appid'. The new keyword may be used by itself, or in conjunction with any other Snort rule keywords, and may leverage any existing rule actions - alert, block, pass, etc. This provides the ability to control applications and services with the rule language.
OpenAppID will also provide statistics for the bytes sent and received per application within a specific time slot.
To help pass the data to other 3rd party analytics tools we have also created 2 new utilities:
u2openappid- generates a comma separated sheet of the data, including the column’s name and value for the new statistics.
u2streamer- used to stream the live feed to 3rd party tools reading this data. For example, an auth login tool.
To configure your snort.conf to use the OpenAppID you will need to add the following new preprocessor in the following format:
preprocessor appid : app_stats_filename appstats-unified.log, app_stats_period 300, app_detector_dir
app_stats_period– The time window where we restart our measuring for each application (In seconds)
app_detector_dir– The full path to where the detectors are located.
alert tcp any any -> any any (msg:”OpenAppID: test for app ssh"; appid: ssh; sid:100000; rev:4; )
- - ssh is the AppID used for detecting SSH based traffic over the network.
We will be continuing to add coverage for additional applications through updates to the detector content package on a regular basis. We welcome any feedback, reports on any issues, questions, as well as contributions of new detectors via a new mailing list: https://lists.sourceforge.net/lists/listinfo/snort-openappid