[Snort-openappid] Logging & app_stats_period

Costas Kleopa (ckleopa) ckleopa at ...5...
Mon Apr 18 10:10:46 EDT 2016


You can review this block post also.

http://blog.snort.org/2014/07/openappid-training-videos-integration.html

In there we are mentioning how to use a utility we made called u2streamer which should be able to be used to stream these events to syslog or anywhere else.

Thanks
Costas

> On Apr 17, 2016, at 3:25 PM, Y M <snort at ...46...> wrote:
> 
> 
> Comments inline.
> ________________________________________
> From: Aaron Glenn <aaron.glenn at ...8...>
> Sent: Sunday, April 17, 2016 3:00 PM
> To: snort-openappid at lists.sourceforge.net
> Subject: [Snort-openappid] Logging & app_stats_period
> 
>> Greetings,
> 
>> I have two questions, relating to logging as well as identification granularity:
> 
>> - Is there a recommended or straightforward way to ship appstats logs
>> to either syslog or (ideally) convert to JSON directly? I tried
>> idstools u2json without success. Is anyone using an ELK stack or
>> similar with openappid?
> 
> Not that I am aware of. Yet not straight forward, one option would be once an appstats log file roles over, move it to another directory or machine and on the receiving end use the u2openappid either to right to a text file which can parsed or directly syslog it and define a mapping for it. I haven't done this myself but it could be an option.
> 
>> - Can someone point me to more information on how the
>> app_stats_period configuration value changes openappid behavior? (I've
>> yet to dive into the code; I'm not much of a programmer...) Running
>> through larger pcaps I see some but not all of the "Facebook" and
>> "Google" traffic.
> 
> In Snort documentation, page 144, under "Application Usage Statistics" there is this statement "...File name, time interval for statistic....". My interpretation of this given the example log in the documentation tells me that the "app_stats_period" is the interval of time during which txBytes and rxBytes are calculated for a given app. Now this is definitely not accurate or complete, its just my interpretation and interpretations can be extremely wrong :). 
> 
> As for not seeing all "Facebook" and "Google" traffic, as far as I understand it is that AppID relies on the SSL handshake (non-encrypted) traffic to match with a defined AppID.
> 
>> Many thanks.
> 
>> Aaron
> 
> YM
> 
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> Snort-openappid mailing list
> Snort-openappid at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-openappid
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> Snort-openappid mailing list
> Snort-openappid at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-openappid
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-openappid mailing list