본문 바로가기
IT Tips

Invalid app error message on Snort OpenApp ID

by SenseChef 2018. 4. 6.

Annoying 'Invalid App id" from Snort OpenApp ID

Snort is one of famous Open source softwares in DPI(Deep Packet Inspection), security monitoring. Now Snort is extended to Open App ID which identify applications over network by analysing packets.

To review this functionality, I installed Snort Open App ID. But I keep getting error message as "Invalid app" even I checked, reinstalled application several times.

Error message I got are as follows.

Snort is normally running without error message. "Commencing packet processing" message means Snort is now capturing and monitoring packets.

Next message 'invalid appid in appStat Record (638)" means Snort is failed to identify which application it is.

To fix this issue, I tried every effort and finally get through it. I want to share it


'Invalid Appid' error is caused by wrong configuration in directory information

The reason to cause this issue was wrong configuration in Snort configuration. My Snort configuration is stored at /etc/snort.

There is file named "snort.conf' who holds every configuration information. We can set directory information for OpenApp ID detector, local rules, etc.

To activate Open App ID functionality on Snort, next configuration should be added on "snort.conf"

[Files on my linux /etc/snort]

[root@localhost snort]# pwd
/etc/snort
[root@localhost snort]# ls
classification.config  menu-content.js   rules             threshold.conf
community-rules        openappid         snort.conf        unicode.map
etc                    preproc_rules     snort.conf_clean
gen-msg.map            reference.config  so_rules
[root@localhost snort]#


[snort.conf]

# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
   memcap 500, \
   priority whitelist, \
   nested_ip inner, \
   whitelist $WHITE_LIST_PATH/white_list.rules, \
   blacklist $BLACK_LIST_PATH/black_list.rules

 preprocessor appid:app_stats_filename appstats-u2.log, \
 app_stats_period 10, \
 app_detector_dir /etc/snort/openappid



###################################################
# Step #6: Configure output plugins
# For more information, see Snort Manual, Configuring Snort - Output Modules
###################################################

Bold strings above are just for Open App ID. There is directory setting as app_detector_dir /etc/snort/openappid

This should be very careful. My directory structure is as follows.

[root@localhost snort]# pwd
/etc/snort
[root@localhost snort]# ls
classification.config  menu-content.js   rules             threshold.conf
community-rules        openappid         snort.conf        unicode.map
etc                    preproc_rules     snort.conf_clean
gen-msg.map            reference.config  so_rules
[root@localhost snort]# cd openappid/
[root@localhost openappid]# ls
odp
[root@localhost openappid]# cd odp
[root@localhost odp]# ls
appid.conf       AUTHORS  LICENSE  port    version.conf
appMapping.data  libs     lua      README
[root@localhost odp]#

In my CentOS Linux, Open App ID detector is stored at '/etc/snort/openappid/odp' as above.

On this environment, how could we set the directory ?

Initially I set it on snort.conf as 'app_detector_dir /etc/snort/openappid/odp'. But 'odp' itself is part of OpenApp Id detector's directory structure. Snort OpenApp ID is seeking someting based on odp structure.

If some detector is required, it is referring such as ./odp/appid.conf or ./odp/lua/client_100bao.lua

Therefore directory should be set not to include 'odp'

Correct directory setting should be as follows.

Wrong: app_detector_dir /etc/snort/openappid/odp

Correct: app_detector_dir /etc/snort/openappid


After I changed the directory setting on snort.conf, there is no longer 'invalid app' error message.

If you are experiencing this kind of error message, please change your snort.conf with correct directory information.

 

No white_list.rules, black_list.rules

During the installation of Open App ID, someboy are stuck since there are no 'white_list.rules', 'black_list.rules' on snort.org

Then where could we get these files ?

Snort.org does not provide these. If these files are not stored, Snort issues error message having stopped.

Simply you can copy some rules to these files. I copied 'local.rules' to these one.

In /etc/snort/rules

cp local.rules white_list.rules

cp local.rules black_list.rules

Since every rule file structure is same, you can copy it. Each rule file name is just for distinguishing its purpose.

If you do not need this functionality, then you could comments out on snort.conf


How to install OpenApp ID ?

Somebody ask me how he/she could install Open App ID.

Snort has variations such as Snort itself, Snort with OpenApp ID functionality.

Therefore you could download Snort OpenApp ID binary or source from Snort.org and install it to your machine.

In my case I installed it into my CentOS 7 machine. It is working well.

 For example to my CentOS 7

   snort-openappid-2.9.11.1-1.centos7.x86_64.rpm

   Link: https://snort.org/downloads/snort/snort-openappid-2.9.11.1-1.centos7.x86_64.rpm

Detailed installation is well explained on Snort.org, Therefore I do not mention it here.

If you have any question,  please let me know. OpenApp ID is new one, there is not enough information on Internet.

Good luck with Snort Open App ID.