Netgate SG-1000 microFirewall

Author Topic: OpenAPPID can't found any app.  (Read 341 times)

0 Members and 1 Guest are viewing this topic.

Offline akong

  • Full Member
  • ***
  • Posts: 131
  • Karma: +2/-0
    • View Profile
OpenAPPID can't found any app.
« on: December 28, 2017, 07:05:14 pm »
I have install latest version snort.And I have download and enable openappid function.I check remote access this openappid.But I use anydesk.It's can't detect and no show on alert.How to setup it?

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3403
  • Karma: +895/-0
    • View Profile
Re: OpenAPPID can't found any app.
« Reply #1 on: December 29, 2017, 08:19:36 am »

Offline akong

  • Full Member
  • ***
  • Posts: 131
  • Karma: +2/-0
    • View Profile
Re: OpenAPPID can't found any app.
« Reply #2 on: January 01, 2018, 10:31:46 pm »
I have check on these options.But it's always not show it.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3403
  • Karma: +895/-0
    • View Profile
Re: OpenAPPID can't found any app.
« Reply #3 on: January 03, 2018, 10:02:57 am »
I suspect English is not your primary language, and I am struggling a bit to understand 100% what you are telling me.  I think you mean that even after configuring OpenAppID per the linked guide you still are not seeing alerts for AnyDesk.

I am not the author of the OpenAppID rules archive.  I do not know if there is a detection stub and corresponding text rule for that application.  Both of those must exist for the application to be detected.  Are you sure that specific application is present in the OpenAppID stubs from the Snort VRT and also has a corresponding text detection rule in the OpenAppID rules archive maintained by the volunteer contributor?  You may need to create your own custom text rule to detect that application.

Bill

Offline silentnomad

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: OpenAPPID can't found any app.
« Reply #4 on: January 20, 2018, 04:13:23 am »
akong, try adding the following custom rule. Change the sid value if it conflicts with any of your existing sid values.

Code: [Select]
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"AnyDesk";flow:from_client;appid:anydesk; sid:1000055 ; classtype:misc-activity; rev:1;)