[Snort-openappid] Specific rule for bandwidth

Mike Stepanek (mstepane) mstepane at ...5...
Mon Sep 14 09:33:19 EDT 2015

That's currently not supported.

From: Gabriel Corre [mailto:gabriel.corre at ...94...]
Sent: Monday, September 14, 2015 8:48 AM
To: Mike Stepanek (mstepane) <mstepane at ...5...>; snort-openappid at ...11...ceforge.net
Subject: RE: Specific rule for bandwidth

Okay, but can we set up the bytes transferred as a trigger for an alert to show up?



De : Mike Stepanek (mstepane) [mailto:mstepane at ...5...]
Envoyé : lundi 14 septembre 2015 14:33
À : Gabriel Corre <gabriel.corre at ...94...>; snort-openappid at ...19...orge.net
Objet : RE: Specific rule for bandwidth

We don't report bandwidth.  Things like alerts and appstats files, though, will report times and number of bytes transferred, so you may be able to get what you need.

- Mike Stepanek
   mstepane at ...5...<mailto:mstepane at ...5...>

From: Gabriel Corre [mailto:gabriel.corre at ...94...]
Sent: Monday, September 14, 2015 7:08 AM
To: snort-openappid at lists.sourceforge.net<mailto:snort-openappid at ...11...ceforge.net>
Subject: [Snort-openappid] Specific rule for bandwidth


I create a rule which is able to catch an application traffic according to an ip :
alert tcp HOME_NET any -> EXTERNAL_NET any (msg:"BitTorrent detected"; appid:BitTorrent; sid:1000000001;)

However I would like to view the bandwith consumed by each IP regarding this app. I don't know how to do that, is it even possible?



Gabriel Corré

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150914/1acf5d10/attachment.html>

More information about the Snort-openappid mailing list