[Snort-openappid] Logging & app_stats_period

Y M snort at ...46...
Sun Apr 17 15:25:05 EDT 2016

Comments inline.
From: Aaron Glenn <aaron.glenn at ...8...>
Sent: Sunday, April 17, 2016 3:00 PM
To: snort-openappid at lists.sourceforge.net
Subject: [Snort-openappid] Logging & app_stats_period


>I have two questions, relating to logging as well as identification granularity:

 >- Is there a recommended or straightforward way to ship appstats logs
>to either syslog or (ideally) convert to JSON directly? I tried
>idstools u2json without success. Is anyone using an ELK stack or
>similar with openappid?

Not that I am aware of. Yet not straight forward, one option would be once an appstats log file roles over, move it to another directory or machine and on the receiving end use the u2openappid either to right to a text file which can parsed or directly syslog it and define a mapping for it. I haven't done this myself but it could be an option.

 >- Can someone point me to more information on how the
>app_stats_period configuration value changes openappid behavior? (I've
>yet to dive into the code; I'm not much of a programmer...) Running
>through larger pcaps I see some but not all of the "Facebook" and
>"Google" traffic.

In Snort documentation, page 144, under "Application Usage Statistics" there is this statement "...File name, time interval for statistic....". My interpretation of this given the example log in the documentation tells me that the "app_stats_period" is the interval of time during which txBytes and rxBytes are calculated for a given app. Now this is definitely not accurate or complete, its just my interpretation and interpretations can be extremely wrong :). 

As for not seeing all "Facebook" and "Google" traffic, as far as I understand it is that AppID relies on the SSL handshake (non-encrypted) traffic to match with a defined AppID.

>Many thanks.



Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net

Please visit http://blog.snort.org to stay current on all the latest Snort news!

More information about the Snort-openappid mailing list