Setting Up Openappid in Snort from Scratch

In Snort version 2.9.7, Cisco released a dynamic new preprocessor OpenAppID, which added application identification to Snort capabilities. Application identification can be used to view how applications are using network resources and to enforce application aware rules to control and manage applications running on network.
In this blog you will see how to enable, configure and test openappid in snort from scratch. So let’s start.
Step 1: Enabling OpenAppID
The very first step comes at the point when you are configuring snort, so at that moment you have
to make sure to add –enable-open-appid at the end of the command you are using for configuring
snort i.e.
./configure --enable-sourcefire --enable-open-appid

Step 2: Download and Extract the Application Detector Package
Before this step you have to do all the usual configurations of snort which I won’t be covering here
as this blog is on OpenAppID specifically Next step is to download the Application Detector
Package, which contains the rules for detecting types of traffic. You can find this file on the download page, listed as snort-openappid.tar.gz.
wget -O snort-openappid.tar.gz
tar -xvzf snort-openappid.tar.gz

Step 3: Editing Snort.Conf to Configure OpenAppID
We need to configure the OpenAppID pre-processor, after that snort will output the OpenAppID
data. To enable the pre-processor, edit the snort.conf file (located at /etc/snort/snort.conf). You
have to add the following lines before the commented-out section 6 (line 512):
preprocessor appid: app_stats_filename appstats-u2.log, \
app_stats_period 60, \
app_detector_dir /etc/snort/rules

Step 4: Collection of OpenAppID Data

Use the below command to start collecting packets (change the interface as needed), and use ctrlc to stop the collection.
If you have output similar to the above, then Snort OpenAppID is successfully installed and it
Posted by Sahibzada Omar (