[Snort-openappid] Specific rule for bandwidth

Gabriel Corre gabriel.corre at ...94...
Mon Sep 14 08:48:05 EDT 2015


Okay, but can we set up the bytes transferred as a trigger for an alert to show up?

--

Gabriel

De : Mike Stepanek (mstepane) [mailto:mstepane at ...5...]
Envoyé : lundi 14 septembre 2015 14:33
À : Gabriel Corre <gabriel.corre at ...94...>; snort-openappid at ...19...orge.net
Objet : RE: Specific rule for bandwidth

We don't report bandwidth.  Things like alerts and appstats files, though, will report times and number of bytes transferred, so you may be able to get what you need.

- Mike Stepanek
   mstepane at ...5...<mailto:mstepane at ...5...>

From: Gabriel Corre [mailto:gabriel.corre at ...94...]
Sent: Monday, September 14, 2015 7:08 AM
To: snort-openappid at lists.sourceforge.net<mailto:snort-openappid at ...11...ceforge.net>
Subject: [Snort-openappid] Specific rule for bandwidth

Hello,

I create a rule which is able to catch an application traffic according to an ip :
alert tcp HOME_NET any -> EXTERNAL_NET any (msg:"BitTorrent detected"; appid:BitTorrent; sid:1000000001;)

However I would like to view the bandwith consumed by each IP regarding this app. I don't know how to do that, is it even possible?

Regards,

--

Gabriel Corré

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150914/5dcb02b1/attachment.html>


More information about the Snort-openappid mailing list