[Snort-openappid] Twitter detector. Error??

Costas Kleopa (ckleopa) ckleopa at ...5...
Thu Nov 5 13:28:00 EST 2015


Carlos,

We took at look at this issue. We have some HTTP based patterns for twitter.com<http://twitter.com> but not for HTTPS. It is possible that you are experiencing this issue. We have plans to add the HTTPS patterns of twitter.com<http://twitter.com> on one of future releases.

Thank you for bringing it to our attention.
Costas

On Nov 5, 2015, at 1:17 PM, Carlos Rodriguez Hernandez <crodriguezh.ext at ...109...<mailto:crodriguezh.ext at ...109...>> wrote:

Hello everyone,

I am continuing with my tests of OpenAppID.

I write this rules in my file local.rules:

"alert tcp 10.0.30.45 any -> any any (msg:"Skype traffic"; appid: skype_auth skype; sid:1000007; rev:2;)

alert tcp 10.0.30.45 any -> any any (msg:"Twitter traffic"; appid: twitter; sid:1000008; rev:1;)

alert tcp 10.0.30.45 any -> any any (msg:"Linkedin traffic"; appid: linkedin; sid:1000010; rev:1;)"

My system is well configured for my network and these rules.

I run Snort with the next command:
"snort -c /etc/snort/snort.conf -i wlp3s0 -A console"

When I access Linkedin or Skype I can see alerts in the console, but when I access Twitter I can not see any alert.

The strange thing is that if I search on Google twitter4j I get Twitter alert:
"11/05-19:11:16.730634  [**] [1:1000008:1] Twitter traffic [**] [Priority: 0] [AppID: twitter] {TCP} 10.0.30.45:35876<http://10.0.30.45:35876/> -> 104.27.137.111:80<http://104.27.137.111/>"

And I have the next log:
"statTime="1446747000",appName="twitter",txBytes="15676",rxBytes="41970""

Is it correct this working?

Thank you very much,
Carlos

--
Carlos Rodríguez Hernández
Fellow Developer
redborder.net<http://redborder.net/> | +34 609477932

[http://p3.zdassets.com/hc/settings_assets/596025/200071372/3Iv4KNwd4hpnPRuwLuoExA-Logo_redBorder_Absolute_Visibility_Normal.png]

This email, including attachments, is intended exclusively for its addressee. It contains information that is CONFIDENTIAL whose disclosure is prohibited by law and may be covered by legal privilege. If you have received this email in error, please notify the sender and delete it from your system.
------------------------------------------------------------------------------
_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net<mailto:Snort-openappid at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20151105/f0a3e22d/attachment.html>


More information about the Snort-openappid mailing list