I have heard many good things about
OpenAppID pre-processor for
snort and wanted to include it in my existing snort installation before up-gradation. This pre-processor allows you to detect application running on your network and can be a great aid in identifying suspicious applications or any application not confirming to your company policy.
There is a good installation note for
OpenAppID from
snort team but, I felt, there are some missing links. So, here is the sequence that is to be followed for enabling
OpenAppID for your snort IDS installation on CentOS or its equivalent linux distribution system:
Make sure that the following rpms are present on the system. If not install them using yum.
#
yum install ethtool make zlib zlib-devel gcc gcc-c++ libtool.x86_64
pcre-devel libpcap libpcap-devel flex bison tcpdump autoconf unzip
python-setuptools python-devel lua lua-devel
Download snort and its associated libraries from
snort site:
All the downloaded packages are saved under /home/admin/install directory.
Now, let us compile and install them one-by-one.
# cd /home/admin/installs
# tar xzvf libdnet-1.12.tar.gz
# cd libdnet-1.12/
# ./configure
# make
# make install
# cd ..
# tar xzvf LuaJIT-2.0.3.tar.gz
# cd LuaJIT-2.0.3/
# make
# make install
# cd ..
# tar -xzvf daq-2.0.4.tar.gz
# cd daq-2.0.4/
# ./configure
# make
# make install
# ldconfig
# cd ..
Now, compile snort with openAppID pre-processor.
# tar -xvf snort-2.9.7.2.tar.gz
# cd snort-2.9.7.2
# ./configure --enable-sourcefire --enable-open-appid
# make
# make install
# which snort
/usr/local/bin/snort
# /usr/local/bin/snort --version
,,_ -*> Snort! <*-
o" )~ Version 2.9.7.2 GRE (Build 177)
Now, configure snort configuration files and create some directories:
# mkdir /etc/snort # For configuration
# mkdir /var/log/snort # For log data
# mkdir /usr/local/lib/snort_dynamicrules # For dynamic rules
# mkdir /etc/snort/rules # For normal text rules
# touch /etc/snort/white_list.rules # For white lists
# touch /etc/snort/black_list.rules # For black lists
A set of configuration files are included in the snort tarball. These files need be copied into /etc/snort/ directory.
# cd /home/admin/installs/snort-2.9.7.2
# cp etc/* /etc/snort/
This process will copy the files - file_magic.conf,snort.conf,unicode.map,classification.config,gen-msg.map,reference.config,threshold.conf to /etc/snort
Now, extract snort registered rules(snort-snapshot-2.9.7.2) and copy them to /etc/snort
# cd /home/admin/installs
# mkdir -p snort_rules
# mv snortrules-snapshot-2.9.7.2.tar.gz snort_rules
# cd snort_rules
# tar -zxvf snortrules-snapshot-2.9.7.2.tar.gz
# cp -r preproc_rules /etc/snort
# cp -r rules /etc/snort
# cp -r so_rules /etc/snort
The next step is configure snort configuration file - /etc/snort/snort.conf. The following changes are required to be made:
# vim /etc/snort/snort.conf
RULE_PATH /etc/snort/rules
SO_RULE_PATH /etc/snort/so_rules
PREPROC_RULE_PATH /etc/snort/preproc_rules
WHITE_LIST_PATH /etc/snort
BLACK_LIST_PATH /etc/snort
# comment path to dynamic rules libraries
#dynamicdetection directory /usr/local/lib/snort_dynamicrules
The next step is to add the configuration for the OpenAppID preprocessor to the snort.conf file. Find the lines for the reputation preprocessor. Just after the reputation preprocessor and before Step 6 we will add another preprocessor setting.
preprocessor appid: app_stats_filename appstats-u2.log, \
app_stats_period 60, \
app_detector_dir /usr/local/snort
This will turn on the OpenAppID preprocessor. The first line names the configuration file to which application statistics will be logged, the second one indicates the time period used to sample this data and the third one specifies the directory which contains the odp directory we extracted from the Open App ID Detector package.
Now, let us configure output section in snort.conf.
Again open snort.conf file and look into Step 6 to find the lines explaining the unified2 output type.
In that section add the following line:
output unified2: filename snort_openappid.log, limit 128, appid_event_types
Now fire up Snort instance:
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf -i eth#
Where eth# is which ever interface you will be monitoring with (e.g. eth0).
Possible Errors
1)
daq_static library not found:
# ./configure: line 15736: daq-modules-config: command not found
checking for daq_load_modules in -ldaq_static... no
ERROR! daq_static library not found, go get it from
http://www.snort.org/.
This happens if daq_static library is not in the path. So. add "/usr/local/bin" to the path variable.
[root@psj snort-2.9.7.2]# which daq_static
/usr/bin/which: no daq_static in (/sbin:/bin:/usr/sbin:/usr/bin)
[root@psj snort-2.9.7.2]# which daq-modules-config
/usr/bin/which: no daq-modules-config in (/sbin:/bin:/usr/sbin:/usr/bin)
[root@psj snort-2.9.7.2]# export PATH=$PATH:/usr/local/bin
2)
LuaJIT library not found:
[root@psj snort-2.9.7.2]# ./configure --enable-sourcefire --enable-open-appid
checking for a BSD-compatible install... /usr/bin/install -c
checking pkg-config is at least version 0.9.0... yes
checking for luajit... no
ERROR! LuaJIT library not found. For better performance, go get it from
http://www.luajit.org/.
configure: error: "Fatal!"
To correct, install latest version of LuaJIT from
http://luajit.org/download.html
3)
libluajit-5.1.so.2: cannot open shared object file: No such file or directory
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_appid_preproc.so... ERROR: Failed to load /usr/local/lib/snort_dynamicpreprocessor//libsf_appid_preproc.so: libluajit-5.1.so.2: cannot open shared object file: No such file or directory
Fatal Error, Quitting..
To correct it, do the following:
[root@psj snort-2.9.7.2]# ldd /usr/local/lib/snort_dynamicpreprocessor/libsf_appid_preproc.so
linux-gate.so.1 => (0x007d8000)
libluajit-5.1.so.2 => not found
libdnet.1 => /usr/local/lib/libdnet.1 (0x00c79000)
libpcre.so.0 => /lib/libpcre.so.0 (0x00a7c000)
libnsl.so.1 => /lib/libnsl.so.1 (0x00d6f000)
libm.so.6 => /lib/libm.so.6 (0x00667000)
libcrypto.so.10 => /usr/lib/libcrypto.so.10 (0x007d9000)
libdl.so.2 => /lib/libdl.so.2 (0x00eef000)
libsfbpf.so.0 => /usr/local/lib/libsfbpf.so.0 (0x005c5000)
libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x00114000)
libz.so.1 => /lib/libz.so.1 (0x00e07000)
libpthread.so.0 => /lib/libpthread.so.0 (0x006e5000)
libc.so.6 => /lib/libc.so.6 (0x00aac000)
/lib/ld-linux.so.2 (0x002b8000)
# find /usr/ -name libluajit-5.1.so.2 # Check where is the required .so
/usr/local/lib/libluajit-5.1.so.2
[root@psj snort-2.9.7.2]# ls -l /usr/local/lib/libluajit-5.1.so.2
lrwxrwxrwx 1 root root 22 Apr 10 12:31 /usr/local/lib/libluajit-5.1.so.2 -> libluajit-5.1.so.2.0.3
# ldconfig
Again, try to run snort instance:
# snort -c /etc/snort/snort.conf -T
If you wish to write your own OpenAppID plugins or extend/tailor the functionality, technical details are available in
this document.
The following article were very useful while installing and configuring OpenAppID:
1)
http://blog.snort.org/2014/03/firing-up-openappid.html
2)
http://phucnw.blogspot.in/search?q=snort
3)
http://puremonkey2010.blogspot.in/2014/10/snort-customized-appid-lua-script-as.html?m=1
4)
https://www.bilgiguvenligi.gov.tr/saldiri-tespit-sistemleri/snort-openappid-ile-uygulama-farkindaligi.html
The following video nicely explains the concepts behind OpenAppID:
1)
http://www.irongeek.com/i.php?page=videos/derbycon4/t402-snort-openappid-how-to-build-an-open-source-next-generation-firewall-adam-hogan
2)
http://blog.snort.org/2014/06/openappid-training-videos-how-to-create.html
Presentation links:
1)
https://www.snort.org/documents/openappid-detection-webinar
2)
http://www.centralohioissa.org/wp-content/uploads/2014/07/OpenAppID-ISSA_Rafeeq-Rehman.pdf
3)
https://www.snort.org/documents/55