[Snort-openappid] Getting the IP address of an App
Costas Kleopa (ckleopa)
ckleopa at ...5...
Thu Oct 23 16:20:39 EDT 2014
The alert with the example you also mentioned below would be the way to go:
alert tcp any any -> any any
alert udp any any -> any any
The app-stats were designed to show only the amount of traffic on a specific time window per appid.
When the alerts are hit for a specific flow, snort will also include the assigned appid value as long as the appid preprocessor is enabled. You don’t have to log a specific appid in the alert if you just want to get all the available appid(s) traffic we identify.
From: "dpifun at ...43...<mailto:dpifun at ...43...>" <dpifun at ...43...<mailto:dpifun at ...43...>>
Date: Thursday, October 23, 2014 at 3:53 PM
To: "snort-openappid at lists.sourceforge.net<mailto:snort-openappid at ...7...rceforge.net>" <snort-openappid at lists.sourceforge.net<mailto:snort-openappid at lists.sourceforge.net>>
Subject: [Snort-openappid] Getting the IP address of an App
We've been looking into using OpenAppID on a project, and while the appstats log is useful it doesn't provide source and destination IP addresses.
It's our understanding that you have to write a rule to fire to obtain that info. It is further our understanding that you can only list at most 10 app names in a rule with :appid. This basically means we're going to have to have a few hundred rules if we wanted to get IP info for all of the detected apps. Our fear is that a few hundred 'alert tcp any any -> any any' might be a performance issue.
Is there a better way? All we want is essentially what we can get from appstats, but with IP address and port information.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-openappid