IT Tips 2018. 4. 6. 12:09

Invalid app error message on Snort OpenApp ID


Annoying 'Invalid App id" from Snort OpenApp ID

Snort is one of famous Open source softwares in DPI(Deep Packet Inspection), security monitoring. Now Snort is extended to Open App ID which identify applications over network by analysing packets.

To review this functionality, I installed Snort Open App ID. But I keep getting error message as "Invalid app" even I checked, reinstalled application several times.

Error message I got are as follows.

Snort is normally running without error message. "Commencing packet processing" message means Snort is now capturing and monitoring packets.

Next message 'invalid appid in appStat Record (638)" means Snort is failed to identify which application it is.

To fix this issue, I tried every effort and finally get through it. I want to share it


'Invalid Appid' error is caused by wrong configuration in directory information

The reason to cause this issue was wrong configuration in Snort configuration. My Snort configuration is stored at /etc/snort.

There is file named "snort.conf' who holds every configuration information. We can set directory information for OpenApp ID detector, local rules, etc.

To activate Open App ID functionality on Snort, next configuration should be added on "snort.conf"

[Files on my linux /etc/snort]

[root@localhost snort]# pwd
/etc/snort
[root@localhost snort]# ls
classification.config  menu-content.js   rules             threshold.conf
community-rules        openappid         snort.conf        unicode.map
etc                    preproc_rules     snort.conf_clean
gen-msg.map            reference.config  so_rules
[root@localhost snort]#


[snort.conf]

# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
   memcap 500, \
   priority whitelist, \
   nested_ip inner, \
   whitelist $WHITE_LIST_PATH/white_list.rules, \
   blacklist $BLACK_LIST_PATH/black_list.rules

 preprocessor appid:app_stats_filename appstats-u2.log, \
 app_stats_period 10, \
 app_detector_dir /etc/snort/openappid



###################################################
# Step #6: Configure output plugins
# For more information, see Snort Manual, Configuring Snort - Output Modules
###################################################

Bold strings above are just for Open App ID. There is directory setting as app_detector_dir /etc/snort/openappid

This should be very careful. My directory structure is as follows.

[root@localhost snort]# pwd
/etc/snort
[root@localhost snort]# ls
classification.config  menu-content.js   rules             threshold.conf
community-rules        openappid         snort.conf        unicode.map
etc                    preproc_rules     snort.conf_clean
gen-msg.map            reference.config  so_rules
[root@localhost snort]# cd openappid/
[root@localhost openappid]# ls
odp
[root@localhost openappid]# cd odp
[root@localhost odp]# ls
appid.conf       AUTHORS  LICENSE  port    version.conf
appMapping.data  libs     lua      README
[root@localhost odp]#

In my CentOS Linux, Open App ID detector is stored at '/etc/snort/openappid/odp' as above.

On this environment, how could we set the directory ?

Initially I set it on snort.conf as 'app_detector_dir /etc/snort/openappid/odp'. But 'odp' itself is part of OpenApp Id detector's directory structure. Snort OpenApp ID is seeking someting based on odp structure.

If some detector is required, it is referring such as ./odp/appid.conf or ./odp/lua/client_100bao.lua

Therefore directory should be set not to include 'odp'

Correct directory setting should be as follows.

Wrong: app_detector_dir /etc/snort/openappid/odp

Correct: app_detector_dir /etc/snort/openappid


After I changed the directory setting on snort.conf, there is no longer 'invalid app' error message.

If you are experiencing this kind of error message, please change your snort.conf with correct directory information.

 

No white_list.rules, black_list.rules

During the installation of Open App ID, someboy are stuck since there are no 'white_list.rules', 'black_list.rules' on snort.org

Then where could we get these files ?

Snort.org does not provide these. If these files are not stored, Snort issues error message having stopped.

Simply you can copy some rules to these files. I copied 'local.rules' to these one.

In /etc/snort/rules

cp local.rules white_list.rules

cp local.rules black_list.rules

Since every rule file structure is same, you can copy it. Each rule file name is just for distinguishing its purpose.

If you do not need this functionality, then you could comments out on snort.conf


How to install OpenApp ID ?

Somebody ask me how he/she could install Open App ID.

Snort has variations such as Snort itself, Snort with OpenApp ID functionality.

Therefore you could download Snort OpenApp ID binary or source from Snort.org and install it to your machine.

In my case I installed it into my CentOS 7 machine. It is working well.

 For example to my CentOS 7

   snort-openappid-2.9.11.1-1.centos7.x86_64.rpm

   Link: https://snort.org/downloads/snort/snort-openappid-2.9.11.1-1.centos7.x86_64.rpm

Detailed installation is well explained on Snort.org, Therefore I do not mention it here.

If you have any question,  please let me know. OpenApp ID is new one, there is not enough information on Internet.

Good luck with Snort Open App ID. 

 

 


저작자표시비영리변경금지
  • 카카오스토리
  • 트위터
  • 페이스북

'IT Tips' 카테고리의 다른 글

제품가격 부가세 합계금액간 산출 공식 및 배경 이론 총정리  (0) 2018.04.09
네이버 밴드 리더권한 승계 위임 공동리더 설정방법 총정리  (3) 2018.04.07
Invalid app error message on Snort OpenApp ID  (0) 2018.04.06
-를 두번 곱하면 왜 +가 될까 마이너스의 제곱은 플러스가 되는 이유  (0) 2018.02.02
한글 외국인에게 배우기 어려운 4가지 이유  (0) 2018.01.09
엑셀에서 날짜단위 주간단위 자동계산 방법 총정리  (0) 2018.01.05
글 인쇄
센스쉐프 블로그를 방문 해 주시어 감사 드립니다. 네이버 Opencast, TNM, RSS 등을 통해 편리하게 읽어 보실 수 있습니다. 문의는 댓글이나 sensechefhelp@gmail.com으로 보내 주시기 바랍니다.

네이버 Opencast 가입 | RSS 구독 | Twitter | TNM |이메일 sensechefhelp@gmail.com

Welcome to SenseChef ! If you have any question or need further information on this site, please let me know at my e-mail sensechefhelp@gmail.com. You can also ask me the English translation in any posting you are interested to. Good day of you !
Posted by 센스쉐프 SenseChef
TAG Annoying Invalid App id from Snort OpenApp ID, black_list.rules, How to install OpenApp ID, No white_list.rules, Snort OpenAppID troubleshooting Open Source DPI Packet network security
Trackback 0 Comment 0

TRACKBACK [ #_tb_address_# ]

댓글을 달아 주세요

«이전  1 ··· 8 9 10 11 12 13 14 15 16 ··· 926  다음»
태그 : 미디어로그 : 지역로그 : 방명록 : 관리자 : 글쓰기 LOGIN : 총 5,405,559 오늘 77 어제 730 : LOGOUT :
Powered by Daum / Designed by Tistory

RSS FEED


연락처(Contact)


sensechefhelp@gmail.com








카테고리

분류 전체보기 (926)
IT 동향 (666)
IT Tips (142)
여행과 추억 (42)
이미지 보정 (47)
사회적기업 (7)
공지사항 (6)
Trivial (10)
Admin (1)
음악 (2)


최근에 올라온 글

  • 고양이의 환경에 녹⋯. (1)
  • 부모님께 좋은 요양⋯. (1)
  • 이태리 시칠리아섬⋯. (1)
  • 일본 식사예절 반드⋯.
  • 이태리 시칠리아섬⋯.




최근에 달린 댓글

  • 그렇군요.. 35⋯. ㅇㅇ 02.24
  • 우와 좋으네요⋯. 최냠냠 01.23
  • 유용한 프로그⋯. 역린 01.21
  • 폴란드 3년 살⋯. 폴란드 2020
  • 재미있는 내용⋯. pps102 2020


티스토리 홈 티스토리 가입하기

티스토리툴바