Invalid app error message on Snort OpenApp ID
Annoying 'Invalid App id" from Snort OpenApp ID
Snort is one of famous Open source softwares in DPI(Deep Packet Inspection), security monitoring. Now Snort is extended to Open App ID which identify applications over network by analysing packets.
To review this functionality, I installed Snort Open App ID. But I keep getting error message as "Invalid app" even I checked, reinstalled application several times.
Error message I got are as follows.
Snort is normally running without error message. "Commencing packet processing" message means Snort is now capturing and monitoring packets.
Next message 'invalid appid in appStat Record (638)" means Snort is failed to identify which application it is.
To fix this issue, I tried every effort and finally get through it. I want to share it
'Invalid Appid' error is caused by wrong configuration in directory information
The reason to cause this issue was wrong configuration in Snort configuration. My Snort configuration is stored at /etc/snort.
There is file named "snort.conf' who holds every configuration information. We can set directory information for OpenApp ID detector, local rules, etc.
To activate Open App ID functionality on Snort, next configuration should be added on "snort.conf"
[Files on my linux /etc/snort]
[root@localhost snort]# pwd
/etc/snort
[root@localhost snort]# ls
classification.config menu-content.js rules threshold.conf
community-rules openappid snort.conf unicode.map
etc preproc_rules snort.conf_clean
gen-msg.map reference.config so_rules
[root@localhost snort]#
[snort.conf]
# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
memcap 500, \
priority whitelist, \
nested_ip inner, \
whitelist $WHITE_LIST_PATH/white_list.rules, \
blacklist $BLACK_LIST_PATH/black_list.rules
preprocessor appid:app_stats_filename appstats-u2.log, \
app_stats_period 10, \
app_detector_dir /etc/snort/openappid
###################################################
# Step #6: Configure output plugins
# For more information, see Snort Manual, Configuring Snort - Output Modules
###################################################
Bold strings above are just for Open App ID. There is directory setting as app_detector_dir /etc/snort/openappid
This should be very careful. My directory structure is as follows.
[root@localhost snort]# pwd
/etc/snort
[root@localhost snort]# ls
classification.config menu-content.js rules threshold.conf
community-rules openappid snort.conf unicode.map
etc preproc_rules snort.conf_clean
gen-msg.map reference.config so_rules
[root@localhost snort]# cd openappid/
[root@localhost openappid]# ls
odp
[root@localhost openappid]# cd odp
[root@localhost odp]# ls
appid.conf AUTHORS LICENSE port version.conf
appMapping.data libs lua README
[root@localhost odp]#
In my CentOS Linux, Open App ID detector is stored at '/etc/snort/openappid/odp' as above.
On this environment, how could we set the directory ?
Initially I set it on snort.conf as 'app_detector_dir /etc/snort/openappid/odp'. But 'odp' itself is part of OpenApp Id detector's directory structure. Snort OpenApp ID is seeking someting based on odp structure.
If some detector is required, it is referring such as ./odp/appid.conf or ./odp/lua/client_100bao.lua
Therefore directory should be set not to include 'odp'
Correct directory setting should be as follows.
Wrong: app_detector_dir /etc/snort/openappid/odp
Correct: app_detector_dir /etc/snort/openappid
After I changed the directory setting on snort.conf, there is no longer 'invalid app' error message.
If you are experiencing this kind of error message, please change your snort.conf with correct directory information.
No white_list.rules, black_list.rules
During the installation of Open App ID, someboy are stuck since there are no 'white_list.rules', 'black_list.rules' on snort.org
Then where could we get these files ?
Snort.org does not provide these. If these files are not stored, Snort issues error message having stopped.
Simply you can copy some rules to these files. I copied 'local.rules' to these one.
In /etc/snort/rules
cp local.rules white_list.rules
cp local.rules black_list.rules
Since every rule file structure is same, you can copy it. Each rule file name is just for distinguishing its purpose.
If you do not need this functionality, then you could comments out on snort.conf
How to install OpenApp ID ?
Somebody ask me how he/she could install Open App ID.
Snort has variations such as Snort itself, Snort with OpenApp ID functionality.
Therefore you could download Snort OpenApp ID binary or source from Snort.org and install it to your machine.
In my case I installed it into my CentOS 7 machine. It is working well.
For example to my CentOS 7
snort-openappid-2.9.11.1-1.centos7.x86_64.rpm
Link: https://snort.org/downloads/snort/snort-openappid-2.9.11.1-1.centos7.x86_64.rpm
Detailed installation is well explained on Snort.org, Therefore I do not mention it here.
If you have any question, please let me know. OpenApp ID is new one, there is not enough information on Internet.
Good luck with Snort Open App ID.