[Snort-openappid] Getting the IP address of an App

dpifun at ...43... dpifun at ...43...
Thu Oct 23 15:53:52 EDT 2014


We've been looking into using OpenAppID on a project, and while the
appstats log is useful it doesn't provide source and destination IP
addresses. 
It's our understanding that you have to write a rule to fire to obtain
that info. It is further our understanding that you can only list at
most 10 app names in a rule with :appid. This basically means we're
going to have to have a few hundred rules if we wanted to get IP info
for all of the detected apps. Our fear is that a few hundred 'alert
tcp any any -> any any' might be a performance issue.
Is there a better way? All we want is essentially what we can get from
appstats, but with IP address and port information.
Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20141023/cfadb359/attachment.html>


More information about the Snort-openappid mailing list