[Snort-openappid] Specific rule for bandwidth

Gabriel Corre gabriel.corre at ...94...
Mon Sep 14 10:11:06 EDT 2015


Hmm and what about « stream_size » option?
«The stream size keyword allows a rule to match traffic according to the number of bytes observed, as determined by
the TCP sequence numbers. »
So I write this rule :
"alert tcp EXTERNAL_NET any -> HOME_NET any (msg:"WARNING! Session bandwidth > 8 bytes"; stream_size:both,>,8"; sid:1000000001;)"
Can you tell me if each time the alert is triggered the "stream_size" is reset or it will still count the number of bytes observed?

De : Mike Stepanek (mstepane) [mailto:mstepane at ...5...]
Envoyé : lundi 14 septembre 2015 15:33
À : Gabriel Corre <gabriel.corre at ...94...>; snort-openappid at ...19...orge.net
Objet : RE: Specific rule for bandwidth

That's currently not supported.

From: Gabriel Corre [mailto:gabriel.corre at ...94...]
Sent: Monday, September 14, 2015 8:48 AM
To: Mike Stepanek (mstepane) <mstepane at ...5...<mailto:mstepane at ...5...>>; snort-openappid at lists.sourceforge.net<mailto:snort-openappid at ...102...ge.net>
Subject: RE: Specific rule for bandwidth

Okay, but can we set up the bytes transferred as a trigger for an alert to show up?

--

Gabriel

De : Mike Stepanek (mstepane) [mailto:mstepane at ...5...]
Envoyé : lundi 14 septembre 2015 14:33
À : Gabriel Corre <gabriel.corre at ...94...<mailto:gabriel.corre at ...94...>>; snort-openappid at lists.sourceforge.net<mailto:snort-openappid at ...56...forge.net>
Objet : RE: Specific rule for bandwidth

We don't report bandwidth.  Things like alerts and appstats files, though, will report times and number of bytes transferred, so you may be able to get what you need.

- Mike Stepanek
   mstepane at ...5...<mailto:mstepane at ...5...>

From: Gabriel Corre [mailto:gabriel.corre at ...94...]
Sent: Monday, September 14, 2015 7:08 AM
To: snort-openappid at lists.sourceforge.net<mailto:snort-openappid at ...11...ceforge.net>
Subject: [Snort-openappid] Specific rule for bandwidth

Hello,

I create a rule which is able to catch an application traffic according to an ip :
alert tcp HOME_NET any -> EXTERNAL_NET any (msg:"BitTorrent detected"; appid:BitTorrent; sid:1000000001;)

However I would like to view the bandwith consumed by each IP regarding this app. I don't know how to do that, is it even possible?

Regards,

--

Gabriel Corré

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150914/0c362dd8/attachment.html>


More information about the Snort-openappid mailing list