[Snort-openappid] How u2streamer works?

Costas Kleopa (ckleopa) ckleopa at ...5...
Wed Sep 2 09:43:38 EDT 2015


We have s video/demo on how we have used u2streamer in the following Blog.

OpenAppID Training Videos: Integration with Splunk<http://blog.snort.org/2014/07/openappid-training-videos-integration.html>

That should give a better explanation on how u2streamer works there.

Thanks
Costas

On Sep 2, 2015, at 9:24 AM, C. L. Martinez <carlopmart at ...8...<mailto:carlopmart at ...8...>> wrote:

Hi all,

I have enabled openappid in my snort host using the following config:

preprocessor appid: app_detector_dir /data/config/etc/idpsnort/common, \
  app_stats_filename appid.log, app_stats_period 60, memcap 134217728

and adding "appid_event_types" to output unified2. I can see catched
apps in appid.log's files like:

statTime="1441199700",appName="ldap",txBytes="6966",rxBytes="4588"
statTime="1441199700",appName="netbios-ssn",txBytes="40440",rxBytes="22780"
statTime="1441199700",appName="ssl",txBytes="26962",rxBytes="15450"
statTime="1441199700",appName="tds",txBytes="124129",rxBytes="195674"
statTime="1441199700",appName="https",txBytes="36059",rxBytes="241232"
statTime="1441199700",appName="ssl_client",txBytes="11960",rxBytes="14010"
statTime="1441199700",appName="rubicon_project",txBytes="11960",rxBytes="14010"
statTime="1441199700",appName="dce_endpoint_re",txBytes="1912",rxBytes="1680"
statTime="1441199760",appName="flickr",txBytes="3842",rxBytes="28280"
statTime="1441199760",appName="ftp",txBytes="7248",rxBytes="6466"
statTime="1441199760",appName="mapi",txBytes="8914",rxBytes="7326"
statTime="1441199760",appName="ldp",txBytes="216674",rxBytes="6132"
statTime="1441199760",appName="dns",txBytes="1260",rxBytes="3628"
statTime="1441199760",appName="kerberos",txBytes="19138",rxBytes="9814"
statTime="1441199760",appName="ldap",txBytes="86081",rxBytes="109207"
statTime="1441199760",appName="netbios-ssn",txBytes="208458",rxBytes="339704"
statTime="1441199760",appName="smtp",txBytes="6782",rxBytes="2580"
statTime="1441199760",appName="ssl",txBytes="147194",rxBytes="939822"
statTime="1441199760",appName="tds",txBytes="1242487",rxBytes="4028056"
statTime="1441199760",appName="https",txBytes="68706",rxBytes="286836"
statTime="1441199760",appName="ssl_client",txBytes="27540",rxBytes="112998"
statTime="1441199760",appName="microsoft",txBytes="4206",rxBytes="9884"
statTime="1441199760",appName="google_accounts",txBytes="1548",rxBytes="9810"
statTime="1441199760",appName="yahoo_login",txBytes="17944",rxBytes="65024"
statTime="1441199760",appName="dce_endpoint_re",txBytes="18642",rxBytes="16248"
statTime="1441199760",appName="microsoft_globa",txBytes="5960",rxBytes="3728"
statTime="1441198560",appName="https",txBytes="549134",rxBytes="983710"
statTime="1441198560",appName="ssl_client",txBytes="549134",rxBytes="983710"
statTime="1441198560",appName="microsoft",txBytes="549134",rxBytes="983710"

I have the following logs inside inside logdir:

root at ...101...:/nsm/logs/idpsnort01# ls -al
total 560
drwxr-xr-x 2 root root   4096 Sep  2 13:18 .
drwxr-xr-x 4 root root     43 Sep  1 14:09 ..
-rw-r----- 1 root root 186944 Sep  2 12:39 appid.log.1441191600
-rw-r----- 1 root root   4128 Sep  2 12:53 appid.log.1441198260
-rw-r----- 1 root root  38160 Sep  2 13:21 appid.log.1441198500
-rw-r--r-- 1 root root      0 Sep  2 10:58 fast.log
-rw-r--r-- 1 root root      0 Sep  2 10:58 full.log
-rw-r----- 1 root root  18535 Sep  2 12:53 preprocs_20-avg_stats.log
-rw-r----- 1 root root   6780 Sep  2 12:53 rules_25-total_stats.log
-rw-r----- 1 root root 256646 Sep  2 13:21 scans.log
-rw-rw-rw- 1 root root  26164 Sep  2 13:19 snort.stats
-rw------- 1 root root    256 Sep  2 13:18 tt.log.bookmark
-rw-r----- 1 root root      0 Sep  2 10:59 unified2.alert.1441191572
-rw-r----- 1 root root      0 Sep  2 12:43 unified2.alert.1441197780
-rw-r----- 1 root root      0 Sep  2 12:47 unified2.alert.1441198044
-rw-r----- 1 root root      0 Sep  2 12:50 unified2.alert.1441198255
-rw-r----- 1 root root      0 Sep  2 12:54 unified2.alert.1441198463

appid.log.xxxxxx are generated by openappid preprocesor. But when I
run u2streamer:

root at ...101...:/nsm/logs/idpsnort01# u2streamer
--path=/nsm/logs/idpsnort01 --name=tt.log
Looking with timestamp: 0

No log is generated ...

Where am I doing the mistake?? Or is it necessary to create an alert
rule for every appid for u2streamer to work??

Thanks.

------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150902/a7d87085/attachment.html>


More information about the Snort-openappid mailing list