[Snort-openappid] Getting the IP address of an App

Costas Kleopa (ckleopa) ckleopa at ...5...
Thu Oct 23 20:25:19 EDT 2014


I forgot to mention that we are also tracking your request on our roadmap to enhance the app-stats file for providing more functionality in the future.

Feel free to let us know for any other suggestions.

Thanks,
Costas

On Oct 23, 2014, at 4:21 PM, Costas Kleopa (ckleopa) <ckleopa at ...5...<mailto:ckleopa at ...5...>> wrote:

The alert with the example you also mentioned below would be the way to go:
alert tcp any any -> any any
alert udp any any -> any any

The app-stats were designed to show only the amount of traffic on a specific time window per appid.

When the alerts are hit for a specific flow, snort will also include the assigned appid value as long as the appid preprocessor is enabled. You don’t have to log a specific appid in the alert if you just want to get all the available appid(s) traffic we identify.

Thanks
Costas

From: "dpifun at ...43...<mailto:dpifun at ...43...>" <dpifun at ...43...<mailto:dpifun at ...43...>>
Date: Thursday, October 23, 2014 at 3:53 PM
To: "snort-openappid at lists.sourceforge.net<mailto:snort-openappid at ...7...rceforge.net>" <snort-openappid at lists.sourceforge.net<mailto:snort-openappid at lists.sourceforge.net>>
Subject: [Snort-openappid] Getting the IP address of an App

We've been looking into using OpenAppID on a project, and while the appstats log is useful it doesn't provide source and destination IP addresses.

It's our understanding that you have to write a rule to fire to obtain that info. It is further our understanding that you can only list at most 10 app names in a rule with :appid. This basically means we're going to have to have a few hundred rules if we wanted to get IP info for all of the detected apps. Our fear is that a few hundred 'alert tcp any any -> any any' might be a performance issue.

Is there a better way? All we want is essentially what we can get from appstats, but with IP address and port information.

Thanks!




------------------------------------------------------------------------------
_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net<mailto:Snort-openappid at ...12...rge.net>
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20141024/f2c2eacb/attachment.html>


More information about the Snort-openappid mailing list