SHARE
TWEET

Firing UP OpenAppID

a guest Jun 16th, 2019 72 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  Installation of OpenAppID pre-processor for Snort IDS
  2. I have heard many good things about OpenAppID pre-processor for snort and wanted to include it in my existing snort installation before up-gradation. This pre-processor allows you to detect application running on your network and can be a great aid in identifying suspicious applications or any application not confirming to your company policy.
  3.  
  4. There is a good installation note for OpenAppID from snort team but, I felt, there are some missing links. So, here is the sequence that is to be followed for enabling OpenAppID for your snort IDS installation on CentOS or its equivalent linux distribution system:
  5.  
  6. Make sure that the following rpms are present on the system. If not install them using yum.
  7.  
  8. # yum install ethtool make zlib zlib-devel gcc gcc-c++ libtool.x86_64 pcre-devel libpcap libpcap-devel flex bison tcpdump autoconf unzip python-setuptools python-devel lua lua-devel
  9.  
  10.  
  11. Download snort and its associated libraries from snort site:
  12.  
  13.     Download snort-2.9.7.2
  14.     Download daq-2.0.4
  15.     Download libdnet-1.12
  16.     Register yourself on snort.org site and download registered rule set - snortrules-snapshot-2972
  17.     Download snort-openappid
  18.     Download just-in-time compiler LuaJIT-2.0.3
  19.  
  20. All the downloaded packages are saved under /home/admin/install directory.
  21.  
  22. Now, let us compile and install them one-by-one.
  23.  
  24. # cd /home/admin/installs
  25. # tar xzvf libdnet-1.12.tar.gz
  26. # cd libdnet-1.12/
  27. # ./configure
  28. # make
  29. # make install
  30. # cd ..
  31. # tar xzvf LuaJIT-2.0.3.tar.gz
  32. # cd LuaJIT-2.0.3/
  33. # make
  34. # make install
  35. # cd ..
  36. # tar -xzvf daq-2.0.4.tar.gz
  37. # cd daq-2.0.4/
  38. # ./configure
  39. # make
  40. # make install
  41. # ldconfig
  42. # cd ..
  43.  
  44. Now, compile snort with openAppID pre-processor.
  45.  
  46. # tar -xvf snort-2.9.7.2.tar.gz
  47. # cd snort-2.9.7.2
  48. # ./configure --enable-sourcefire --enable-open-appid
  49. # make
  50. # make install
  51. # which snort
  52. /usr/local/bin/snort
  53. # /usr/local/bin/snort --version
  54.  
  55. ,,_ -*> Snort! <*-
  56. o" )~ Version 2.9.7.2 GRE (Build 177)
  57.  
  58. Now, configure snort configuration files and create some directories:
  59.  
  60. # mkdir /etc/snort # For configuration
  61. # mkdir /var/log/snort # For log data
  62. # mkdir /usr/local/lib/snort_dynamicrules # For dynamic rules
  63. # mkdir /etc/snort/rules # For normal text rules
  64. # touch /etc/snort/white_list.rules # For white lists
  65. # touch /etc/snort/black_list.rules # For black lists
  66.  
  67. A set of configuration files are included in the snort tarball. These files need be copied into /etc/snort/ directory.
  68.  
  69. # cd /home/admin/installs/snort-2.9.7.2
  70. # cp etc/* /etc/snort/
  71.  
  72. This process will copy the files - file_magic.conf,snort.conf,unicode.map,classification.config,gen-msg.map,reference.config,threshold.conf to /etc/snort
  73.  
  74. Now, extract snort registered rules(snort-snapshot-2.9.7.2) and copy them to /etc/snort
  75.  
  76. # cd /home/admin/installs
  77. # mkdir -p snort_rules
  78. # mv snortrules-snapshot-2.9.7.2.tar.gz snort_rules
  79. # cd snort_rules
  80. # tar -zxvf snortrules-snapshot-2.9.7.2.tar.gz
  81. # cp -r preproc_rules /etc/snort
  82. # cp -r rules /etc/snort
  83. # cp -r so_rules /etc/snort
  84.  
  85. The next step is configure  snort configuration file - /etc/snort/snort.conf. The following changes are required to be made:
  86.  
  87. # vim /etc/snort/snort.conf
  88.  
  89. RULE_PATH /etc/snort/rules
  90. SO_RULE_PATH /etc/snort/so_rules
  91. PREPROC_RULE_PATH /etc/snort/preproc_rules
  92. WHITE_LIST_PATH /etc/snort
  93. BLACK_LIST_PATH /etc/snort
  94.  
  95.  
  96.  
  97.  
  98. # comment path to dynamic rules libraries
  99. #dynamicdetection directory /usr/local/lib/snort_dynamicrules
  100.  
  101. The next step is to add the configuration for the OpenAppID preprocessor to the snort.conf file. Find the lines for the reputation preprocessor. Just after the reputation preprocessor and before Step 6 we will add another preprocessor setting.
  102.  
  103. preprocessor appid: app_stats_filename appstats-u2.log, \
  104.    app_stats_period 60, \
  105.    app_detector_dir /usr/local/snort
  106.  
  107. This will turn on the OpenAppID preprocessor. The first line names the configuration file to which application statistics will be logged, the second one indicates the time period used to sample this data and the third one specifies the directory which contains the odp directory we extracted from the Open App ID Detector package.
  108.  
  109. Now, let us configure output section in snort.conf.
  110.  
  111. Again open snort.conf file and look into Step 6 to find the lines explaining the unified2 output type.
  112.  
  113. In that section add the following line:
  114. output unified2: filename snort_openappid.log, limit 128, appid_event_types
  115.  
  116. Now fire up Snort instance:
  117.  
  118. # /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf -i eth#
  119.  
  120. Where eth# is which ever interface you will be monitoring with (e.g. eth0).
  121.  
  122.  
  123. Possible Errors
  124.  
  125. 1) daq_static library not found:
  126.  
  127. # ./configure: line 15736: daq-modules-config: command not found
  128. checking for daq_load_modules in -ldaq_static... no
  129.  
  130.    ERROR!  daq_static library not found, go get it from
  131.    http://www.snort.org/.
  132.  
  133. This happens if daq_static library is not in the path. So. add "/usr/local/bin" to the path variable.
  134.  
  135. [root@psj snort-2.9.7.2]# which daq_static
  136. /usr/bin/which: no daq_static in (/sbin:/bin:/usr/sbin:/usr/bin)
  137. [root@psj snort-2.9.7.2]# which daq-modules-config
  138. /usr/bin/which: no daq-modules-config in (/sbin:/bin:/usr/sbin:/usr/bin)
  139. [root@psj snort-2.9.7.2]# export PATH=$PATH:/usr/local/bin
  140.  
  141.  
  142. 2) LuaJIT library not found:
  143.  
  144.  
  145. [root@psj snort-2.9.7.2]# ./configure --enable-sourcefire --enable-open-appid
  146. checking for a BSD-compatible install... /usr/bin/install -c
  147.  
  148. checking pkg-config is at least version 0.9.0... yes
  149. checking for luajit... no
  150.  
  151.    ERROR!  LuaJIT library not found. For better performance, go get it from
  152.    http://www.luajit.org/.
  153. configure: error: "Fatal!"
  154.  
  155. To correct, install  latest version of LuaJIT from http://luajit.org/download.html
  156.  
  157. 3) libluajit-5.1.so.2: cannot open shared object file: No such file or directory
  158.  
  159.   Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done
  160.   Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
  161.   Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
  162.   Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_appid_preproc.so... ERROR: Failed to load /usr/local/lib/snort_dynamicpreprocessor//libsf_appid_preproc.so: libluajit-5.1.so.2: cannot open shared object file: No such file or directory
  163. Fatal Error, Quitting..
  164.  
  165. To correct it, do the following:
  166.  
  167. [root@psj snort-2.9.7.2]# ldd /usr/local/lib/snort_dynamicpreprocessor/libsf_appid_preproc.so
  168.     linux-gate.so.1 =>  (0x007d8000)
  169.     libluajit-5.1.so.2 => not found
  170.     libdnet.1 => /usr/local/lib/libdnet.1 (0x00c79000)
  171.     libpcre.so.0 => /lib/libpcre.so.0 (0x00a7c000)
  172.     libnsl.so.1 => /lib/libnsl.so.1 (0x00d6f000)
  173.     libm.so.6 => /lib/libm.so.6 (0x00667000)
  174.     libcrypto.so.10 => /usr/lib/libcrypto.so.10 (0x007d9000)
  175.     libdl.so.2 => /lib/libdl.so.2 (0x00eef000)
  176.     libsfbpf.so.0 => /usr/local/lib/libsfbpf.so.0 (0x005c5000)
  177.     libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x00114000)
  178.     libz.so.1 => /lib/libz.so.1 (0x00e07000)
  179.     libpthread.so.0 => /lib/libpthread.so.0 (0x006e5000)
  180.     libc.so.6 => /lib/libc.so.6 (0x00aac000)
  181.     /lib/ld-linux.so.2 (0x002b8000)
  182.  
  183. # find /usr/ -name libluajit-5.1.so.2 # Check where is the required .so
  184. /usr/local/lib/libluajit-5.1.so.2
  185.  
  186. [root@psj snort-2.9.7.2]# ls -l /usr/local/lib/libluajit-5.1.so.2
  187. lrwxrwxrwx 1 root root 22 Apr 10 12:31 /usr/local/lib/libluajit-5.1.so.2 -> libluajit-5.1.so.2.0.3
  188.  
  189. # ldconfig
  190.  
  191. Again, try to run snort instance:
  192.  
  193. # snort -c /etc/snort/snort.conf -T
  194.  
  195.  
  196. If you wish to write your own OpenAppID plugins or extend/tailor the functionality, technical details are available in this document > https://usermanual.wiki/Pdf/OpenDetectorDeveloperGuide.729399446/html.
  197.  
  198. The following article were very useful while installing and configuring OpenAppID:
  199. 1) http://blog.snort.org/2014/03/firing-up-openappid.html
  200. 2) http://phucnw.blogspot.in/search?q=snort
  201. 3) http://puremonkey2010.blogspot.in/2014/10/snort-customized-appid-lua-script-as.html?m=1
  202. 4) https://www.bilgiguvenligi.gov.tr/saldiri-tespit-sistemleri/snort-openappid-ile-uygulama-farkindaligi.html
  203.  
  204. The following video nicely explains the concepts behind OpenAppID:
  205. 1) http://www.irongeek.com/i.php?page=videos/derbycon4/t402-snort-openappid-how-to-build-an-open-source-next-generation-firewall-adam-hogan
  206. 2) http://blog.snort.org/2014/06/openappid-training-videos-how-to-create.html
  207.  
  208. Presentation links:
  209. 1) https://www.snort.org/documents/openappid-detection-webinar
  210. 2) http://www.centralohioissa.org/wp-content/uploads/2014/07/OpenAppID-ISSA_Rafeeq-Rehman.pdf
  211. 3) https://www.snort.org/documents/55
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top