Firing UP OpenAppID

1. Installation of OpenAppID pre-processor for Snort IDS
2. I have heard many good things about OpenAppID pre-processor for snort and wanted to include it in my existing snort installation before up-gradation. This pre-processor allows you to detect application running on your network and can be a great aid in identifying suspicious applications or any application not confirming to your company policy.
3.  
4. There is a good installation note for OpenAppID from snort team but, I felt, there are some missing links. So, here is the sequence that is to be followed for enabling OpenAppID for your snort IDS installation on CentOS or its equivalent linux distribution system:
5.  
6. Make sure that the following rpms are present on the system. If not install them using yum.
7.  
8. # yum install ethtool make zlib zlib-devel gcc gcc-c++ libtool.x86_64 pcre-devel libpcap libpcap-devel flex bison tcpdump autoconf unzip python-setuptools python-devel lua lua-devel
9.  
10.  
11. Download snort and its associated libraries from snort site:
12.  
13. Download snort-2.9.7.2
14. Download daq-2.0.4
15. Download libdnet-1.12
16. Register yourself on snort.org site and download registered rule set - snortrules-snapshot-2972
17. Download snort-openappid
18. Download just-in-time compiler LuaJIT-2.0.3
19.  
20. All the downloaded packages are saved under /home/admin/install directory.
21.  
22. Now, let us compile and install them one-by-one.
23.  
24. # cd /home/admin/installs
25. # tar xzvf libdnet-1.12.tar.gz
26. # cd libdnet-1.12/
27. # ./configure
28. # make
29. # make install
30. # cd ..
31. # tar xzvf LuaJIT-2.0.3.tar.gz
32. # cd LuaJIT-2.0.3/
33. # make
34. # make install
35. # cd ..
36. # tar -xzvf daq-2.0.4.tar.gz
37. # cd daq-2.0.4/
38. # ./configure
39. # make
40. # make install
41. # ldconfig
42. # cd ..
43.  
44. Now, compile snort with openAppID pre-processor.
45.  
46. # tar -xvf snort-2.9.7.2.tar.gz
47. # cd snort-2.9.7.2
48. # ./configure --enable-sourcefire --enable-open-appid
49. # make
50. # make install
51. # which snort
52. /usr/local/bin/snort
53. # /usr/local/bin/snort --version
54.  
55. ,,_ -*> Snort! <*-
56. o" )~ Version 2.9.7.2 GRE (Build 177)
57.  
58. Now, configure snort configuration files and create some directories:
59.  
60. # mkdir /etc/snort # For configuration
61. # mkdir /var/log/snort # For log data
62. # mkdir /usr/local/lib/snort_dynamicrules # For dynamic rules
63. # mkdir /etc/snort/rules # For normal text rules
64. # touch /etc/snort/white_list.rules # For white lists
65. # touch /etc/snort/black_list.rules # For black lists
66.  
67. A set of configuration files are included in the snort tarball. These files need be copied into /etc/snort/ directory.
68.  
69. # cd /home/admin/installs/snort-2.9.7.2
70. # cp etc/* /etc/snort/
71.  
72. This process will copy the files - file_magic.conf,snort.conf,unicode.map,classification.config,gen-msg.map,reference.config,threshold.conf to /etc/snort
73.  
74. Now, extract snort registered rules(snort-snapshot-2.9.7.2) and copy them to /etc/snort
75.  
76. # cd /home/admin/installs
77. # mkdir -p snort_rules
78. # mv snortrules-snapshot-2.9.7.2.tar.gz snort_rules
79. # cd snort_rules
80. # tar -zxvf snortrules-snapshot-2.9.7.2.tar.gz
81. # cp -r preproc_rules /etc/snort
82. # cp -r rules /etc/snort
83. # cp -r so_rules /etc/snort
84.  
85. The next step is configure snort configuration file - /etc/snort/snort.conf. The following changes are required to be made:
86.  
87. # vim /etc/snort/snort.conf
88.  
89. RULE_PATH /etc/snort/rules
90. SO_RULE_PATH /etc/snort/so_rules
91. PREPROC_RULE_PATH /etc/snort/preproc_rules
92. WHITE_LIST_PATH /etc/snort
93. BLACK_LIST_PATH /etc/snort
94.  
95.  
96.  
97.  
98. # comment path to dynamic rules libraries
99. #dynamicdetection directory /usr/local/lib/snort_dynamicrules
100.  
101. The next step is to add the configuration for the OpenAppID preprocessor to the snort.conf file. Find the lines for the reputation preprocessor. Just after the reputation preprocessor and before Step 6 we will add another preprocessor setting.
102.  
103. preprocessor appid: app_stats_filename appstats-u2.log, \
104. app_stats_period 60, \
105. app_detector_dir /usr/local/snort
106.  
107. This will turn on the OpenAppID preprocessor. The first line names the configuration file to which application statistics will be logged, the second one indicates the time period used to sample this data and the third one specifies the directory which contains the odp directory we extracted from the Open App ID Detector package.
108.  
109. Now, let us configure output section in snort.conf.
110.  
111. Again open snort.conf file and look into Step 6 to find the lines explaining the unified2 output type.
112.  
113. In that section add the following line:
114. output unified2: filename snort_openappid.log, limit 128, appid_event_types
115.  
116. Now fire up Snort instance:
117.  
118. # /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf -i eth#
119.  
120. Where eth# is which ever interface you will be monitoring with (e.g. eth0).
121.  
122.  
123. Possible Errors
124.  
125. 1) daq_static library not found:
126.  
127. # ./configure: line 15736: daq-modules-config: command not found
128. checking for daq_load_modules in -ldaq_static... no
129.  
130. ERROR! daq_static library not found, go get it from
131. http://www.snort.org/.
132.  
133. This happens if daq_static library is not in the path. So. add "/usr/local/bin" to the path variable.
134.  
135. [root@psj snort-2.9.7.2]# which daq_static
136. /usr/bin/which: no daq_static in (/sbin:/bin:/usr/sbin:/usr/bin)
137. [root@psj snort-2.9.7.2]# which daq-modules-config
138. /usr/bin/which: no daq-modules-config in (/sbin:/bin:/usr/sbin:/usr/bin)
139. [root@psj snort-2.9.7.2]# export PATH=$PATH:/usr/local/bin
140.  
141.  
142. 2) LuaJIT library not found:
143.  
144.  
145. [root@psj snort-2.9.7.2]# ./configure --enable-sourcefire --enable-open-appid
146. checking for a BSD-compatible install... /usr/bin/install -c
147.  
148. checking pkg-config is at least version 0.9.0... yes
149. checking for luajit... no
150.  
151. ERROR! LuaJIT library not found. For better performance, go get it from
152. http://www.luajit.org/.
153. configure: error: "Fatal!"
154.  
155. To correct, install latest version of LuaJIT from http://luajit.org/download.html
156.  
157. 3) libluajit-5.1.so.2: cannot open shared object file: No such file or directory
158.  
159. Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done
160. Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
161. Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
162. Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_appid_preproc.so... ERROR: Failed to load /usr/local/lib/snort_dynamicpreprocessor//libsf_appid_preproc.so: libluajit-5.1.so.2: cannot open shared object file: No such file or directory
163. Fatal Error, Quitting..
164.  
165. To correct it, do the following:
166.  
167. [root@psj snort-2.9.7.2]# ldd /usr/local/lib/snort_dynamicpreprocessor/libsf_appid_preproc.so
168. linux-gate.so.1 => (0x007d8000)
169. libluajit-5.1.so.2 => not found
170. libdnet.1 => /usr/local/lib/libdnet.1 (0x00c79000)
171. libpcre.so.0 => /lib/libpcre.so.0 (0x00a7c000)
172. libnsl.so.1 => /lib/libnsl.so.1 (0x00d6f000)
173. libm.so.6 => /lib/libm.so.6 (0x00667000)
174. libcrypto.so.10 => /usr/lib/libcrypto.so.10 (0x007d9000)
175. libdl.so.2 => /lib/libdl.so.2 (0x00eef000)
176. libsfbpf.so.0 => /usr/local/lib/libsfbpf.so.0 (0x005c5000)
177. libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x00114000)
178. libz.so.1 => /lib/libz.so.1 (0x00e07000)
179. libpthread.so.0 => /lib/libpthread.so.0 (0x006e5000)
180. libc.so.6 => /lib/libc.so.6 (0x00aac000)
181. /lib/ld-linux.so.2 (0x002b8000)
182.  
183. # find /usr/ -name libluajit-5.1.so.2 # Check where is the required .so
184. /usr/local/lib/libluajit-5.1.so.2
185.  
186. [root@psj snort-2.9.7.2]# ls -l /usr/local/lib/libluajit-5.1.so.2
187. lrwxrwxrwx 1 root root 22 Apr 10 12:31 /usr/local/lib/libluajit-5.1.so.2 -> libluajit-5.1.so.2.0.3
188.  
189. # ldconfig
190.  
191. Again, try to run snort instance:
192.  
193. # snort -c /etc/snort/snort.conf -T
194.  
195.  
196. If you wish to write your own OpenAppID plugins or extend/tailor the functionality, technical details are available in this document > https://usermanual.wiki/Pdf/OpenDetectorDeveloperGuide.729399446/html.
197.  
198. The following article were very useful while installing and configuring OpenAppID:
199. 1) http://blog.snort.org/2014/03/firing-up-openappid.html
200. 2) http://phucnw.blogspot.in/search?q=snort
201. 3) http://puremonkey2010.blogspot.in/2014/10/snort-customized-appid-lua-script-as.html?m=1
202. 4) https://www.bilgiguvenligi.gov.tr/saldiri-tespit-sistemleri/snort-openappid-ile-uygulama-farkindaligi.html
203.  
204. The following video nicely explains the concepts behind OpenAppID:
205. 1) http://www.irongeek.com/i.php?page=videos/derbycon4/t402-snort-openappid-how-to-build-an-open-source-next-generation-firewall-adam-hogan
206. 2) http://blog.snort.org/2014/06/openappid-training-videos-how-to-create.html
207.  
208. Presentation links:
209. 1) https://www.snort.org/documents/openappid-detection-webinar
210. 2) http://www.centralohioissa.org/wp-content/uploads/2014/07/OpenAppID-ISSA_Rafeeq-Rehman.pdf
211. 3) https://www.snort.org/documents/55