Friday, March 14, 2014

OpenAppID Install Video

OpenAppID Install

This short blog post accompanies the below video showing the installation of Snort with OpenAppID onto a completely clean Ubuntu Server running 13.10. Hold on to your hat, it’s a quick video, so fast in fact we thought it wise to also provide this text listing of the commands typed (without the typos you’ll see in the video).

If you’ve not watched the video yet, go watch it now, below for reference.

Step #1, Prep the system.

You’ll need to download the following files from


You’ll find the first three files in the downloads section, and the last file in the rules section The exact rules files available will change over time, just make sure you get one that is compatible with Snort 2.9.x release.

Start with a clean installation of Ubuntu 13.10 Server. The only task selected for the system to be used at during installation was an SSH Server. The files were downloaded into a directory called build.

mkdir ~/build
cd ~/build

Step #2, Install Snort requirements

The following packages were added to the system via apt.

apt-get install openssl libssl-dev build-essential g++ flex bison zlib1g-dev autoconf libtool libpcap-dev libpcre3-dev libdumbnet-dev build-essential

Libdnet-1.11 and LuaJIT were compiled and used so we were running the same versions as those who were developing OpenAppID.

cd ~/build/
tar xzvf libdnet-1.11.tar.gz
cd libdnet-1.11/
sudo make install

cd ~/build/
tar xzvf LuaJIT-2.0.2.tar.gz
cd LuaJIT-2.0.2/
sudo make install

cd ~/build/
tar -xzvf daq-2.0.2.tar.gz
cd daq-2.0.2/
sudo make install
sudo ldconfig

Step #3 Building Snort with OpenAppID support.

cd ~/build/
tar -zxvf snort-
cd snort-
./configure --enable-sourcefire --enable-open-appid
sudo make install

Step #4 Configure Snort without OpenAppID enabled

Before we jump into the new capabilities of OpenAppID, it’s best to make sure the foundations are functioning. Snort needs some configuration files and directories to be made.

sudo mkdir /etc/snort # For configuration
sudo mkdir /var/log/snort # For log data
sudo mkdir /usr/local/lib/snort_dynamicrules # For dynamic rules
sudo mkdir /etc/snort/rules # For normal text rules
touch /etc/snort/white_list.rules # For white lists
touch /etc/snort/black_list.rules # For black lists

A set of configuration files are included in the snort tarball. These can be copied into your /etc/snort/ directory.

cd ~/build/snort-
sudo cp attribute_table.dtd file_magic.conf snort.conf classification.config reference.config threshold.conf /etc/snort/

The last thing to do is to add some of the VRT supplied rules to enable snort to detect ‘bad’ stuff. We’ve untarred unto a temp directory called ‘crules’, the name has no meaning.

cd ~/build
mkdir crules
mv snortrules-snapshot-2960.tar.gz crules
cd crules/
tar -zxvf snortrules-snapshot-2960.tar.gz

sudo cp -r preproc_rules /etc/snort
sudo cp -r rules /etc/snort/
sudo cp -r so_rules /etc/snort/

The next step is to configure the snort.conf file. They key changes made to get Snort working were:

RULE_PATH /etc/snort/rules
SO_RULE_PATH /etc/snort/rules
PREPROC_RULE_PATH /etc/snort/rules
WHITE_LIST_PATH /etc/snort
BLACK_LIST_PATH /etc/snort

To test Snort’s config the -T option can be used. If Snort has any problems with configuration, it will let you know.

sudo snort -c /etc/snort/snort.conf -T

Step #5 Enabling OpenAppID in Snort.

First we need to add the OpenAppID detector package, this was one of the files that was downloaded earlier.

cd ~/build
tar -zxvf ./snort-openappid-detectors.2014-02-22.187-0.tgz
sudo mkdir /usr/local/lib/openappid
sudo mv odp/ /usr/local/lib/openappid/

The appid preprocessor now needs to be enabled in Snort. Add the following line at the end of the preprocessor section.

preprocessor appid : app_stats_filename appstats-unified.log, app_stats_period 60, app_detector_dir /usr/local/lib/openappid

Every 60 seconds details of the apps found in use on the network will be dropped into this file
To start Snort,  the following command was used.

sudo snort -c /etc/snort/snort.conf --daq afpacket -i eth0 -k none

In future posts we’ll go into some of the other ways you can use Snort with OpenAppID, but this should be enough to get you started. If you have any questions, please send them to the snort-openappid mailing list at