[Snort-openappid] Rules to detect flows?

Costas Kleopa (ckleopa) ckleopa at ...5...
Sat Nov 1 19:58:51 EDT 2014


Unfortunately, providing the received and send bytes per connection in the alerts is something that is not supported in this release, and we have also noted it in our roadmap for this feature.

The only way you can get the received/send bytes per AppID is on a per timed interval through the use of the app-stats logs.

Thanks,
Costas

On Nov 1, 2014, at 7:47 PM, "dpifun at ...43...<mailto:dpifun at ...43...>" <dpifun at ...43...<mailto:dpifun at ...43...>> wrote:

We're trying to detect apps with rules to get the IP, port pair. But, we've run into a snag.

A simple rule for detecting SSH connections regardless of the port:

alert tcp any any -> any any (msg:”ssh”; appid: ssh openssh; sid:1000000; rev:1)

This rule, however, creates a huge number of alerts for a single SSH connection.  While we're not snort rule experts, using flowbits seems to be the way. But, we're a bit lost on how to get  ONLY an alert at the beginning of an SSH connection and at the end. It would be cool if we could get the number of bytes sent/received for the connection but that seems impossible.

We tried using the S and F flags without success.

Any help appreciated!

------------------------------------------------------------------------------
_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net<mailto:Snort-openappid at ...12...rge.net>
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20141101/3e77542b/attachment.html>


More information about the Snort-openappid mailing list