[Snort-openappid] Fwd: [Snort-users] Open App Id

Joel Esler jesler at ...5...
Mon Apr 4 08:35:05 EDT 2016



Forwarded message:

> From: valentin.giraud at ...128...
> To: Snort Users <snort-users at lists.sourceforge.net>
> Subject: [Snort-users] Fwd: Open App Id
> Date: Mon, 4 Apr 2016 13:17:29 +0200
>
>
>
> -------- Courriel original --------
> Objet: Open App Id
> Date: 04.04.2016 11:07
> De: valentin.giraud at ...128...
> À: snort-users at lists.sourceforge.net
>
> Hi snort community,
>
> I am currently trying to write some detectors in lua for App Id.
> But there is 2 or 3 things that i need your help to understand.
> - In what way can i use the "appMapping.data"? Because i wrote some
> detector lua and they work without using it...
> - There is a lot of app that are not working really well, e.g when i 
> go
> on "www.facebook.com" it works only time to time...  Have you any idea 
> ?
> - I have a lot of DNS and __unknown AppName, do you have any idea, 
> where
> it could come from ?
>
> examples of a session:
>
> ********
> statTime="1459759980",appName="Firefox",txBytes="1125",rxBytes="1524"
> statTime="1459759980",appName="HTTP",txBytes="1125",rxBytes="1524"
> statTime="1459759980",appName="dayumBen",txBytes="1125",rxBytes="1524"
> statTime="1459759050",appName="DNS",txBytes="492",rxBytes="861"
> statTime="1459759070",appName="DNS",txBytes="553",rxBytes="1163"
> statTime="1459759190",appName="Firefox",txBytes="5600",rxBytes="12378"
> statTime="1459759190",appName="HTTP",txBytes="5600",rxBytes="12378"
> statTime="1459759190",appName="Squid",txBytes="5600",rxBytes="12378"
> statTime="1459759080",appName="DNS",txBytes="1296",rxBytes="2201"
> statTime="1459759090",appName="DNS",txBytes="219",rxBytes="396"
> statTime="1459759180",appName="Firefox",txBytes="14961",rxBytes="17045"
> statTime="1459759180",appName="HTTP",txBytes="14961",rxBytes="17045"
> statTime="1459759180",appName="Google
> Maps",txBytes="4340",rxBytes="6894"
> statTime="1459759180",appName="Bing 
> Maps",txBytes="7549",rxBytes="7607"
> statTime="1459759190",appName="Google
> APIs",txBytes="5864",rxBytes="8620"
> statTime="1459759190",appName="Firefox",txBytes="35136",rxBytes="37202"
> statTime="1459759190",appName="HTTP",txBytes="35136",rxBytes="37202"
> statTime="1459759190",appName="Google
> Maps",txBytes="6535",rxBytes="3886"
> statTime="1459759190",appName="Bing
> Maps",txBytes="11167",rxBytes="12360"
> statTime="1459759190",appName="Google
> APIs",txBytes="3903",rxBytes="3202"
> statTime="1459759190",appName="Firefox",txBytes="3903",rxBytes="3202"
> statTime="1459759190",appName="HTTP",txBytes="3903",rxBytes="3202"
> statTime="1459759150",appName="DNS",txBytes="1299",rxBytes="2095"
> statTime="1459758980",appName="__unknown",txBytes="100",rxBytes="160"
> statTime="1459759160",appName="DNS",txBytes="219",rxBytes="396"
>
> ************
>
> Valentin.
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!




More information about the Snort-openappid mailing list