Thursday, February 27, 2014

Snort Alpha with OpenAppID, a quick introduction to getting started

A new preprocessor has been included with Snort, and when used in conjunction with the OpenAppID detector content package, provides Snort the ability to identify, control and measure the applications in use on the network.  The initial detector package contains logic to identify 1,477 unique protocols, client and server applications, as well as web applications.

We are also introducing a new keyword called 'appid'. The new keyword may be used by itself, or in conjunction with any other Snort rule keywords, and may leverage any existing rule actions - alert, block, pass, etc.  This provides the ability to control applications and services with the rule language.

OpenAppID will also provide statistics for the bytes sent and received per application within a specific time slot.

To help pass the data to other 3rd party analytics tools we have also created 2 new utilities:
  • - u2openappid - generates a comma separated sheet of the data, including the column’s name and value for the new statistics.
  • - u2streamer - used to stream the live feed to 3rd party tools reading this data.  For example, an auth login tool.
To build Snort with OpenAppID, you will need to add the following line in the ./configure script:
./configure --enable-open-appid

To configure your snort.conf to use the OpenAppID you will need to add the following new preprocessor in the following format:

preprocessor appid : app_stats_filename appstats-unified.log, app_stats_period 300, app_detector_dir

  • - app_stats_period – The time window where we restart our measuring  for each application (In seconds)
  • - app_detector_dir – The full path to where the detectors are located.
An example on how create a new rule with the appid keyword is as follows:

 alert tcp any any -> any any  (msg:”OpenAppID: test for app ssh"; appid: ssh; sid:100000; rev:4; )
  • - ssh is the AppID used for detecting SSH based traffic over the network.
We currently allow up to 10 AppIDs per rule each can be separated by a space or comma.
For more information about the installation and configuration of the OpenAppID in Snort see the README file included with the source code.

We will be continuing to add coverage for additional applications through updates to the detector content package on a regular basis. We welcome any feedback, reports on any issues, questions, as well as contributions of new detectors via a new mailing list: