[Snort-openappid] [Snort-users] Appid question

James Lay jlay at ...45...
Mon Sep 19 11:19:21 EDT 2016


Thanks Costas,

You know I looked at the appid-stats log:

statTime="1474267800",appName="Mobile 
Safari",txBytes="9808",rxBytes="9012"
statTime="1474267800",appName="Squid",txBytes="9808",rxBytes="9012"
statTime="1474267800",appName="__unknown",txBytes="7220",rxBytes="4020"

This is cool, but doesn't give me a source/destination.  I looked at the 
video though and that was good information.  Is there something I'm 
missing from the appid config that will show me source and destination?  
Thank you!

James

On 2016-09-19 09:07, Costas Kleopa (ckleopa) wrote:
> Adding the openappid snort list.
> 
> James, you’re probably looking for something like this training
> video.
> 
> http://blog.snort.org/2014/07/openappid-training-videos-integration.html
> 
> 
> In there it’s including some instructions on how to use the
> app-stats logs and get them exported using the u2streamer utility we
> have developed for this feature.
> 
> Thanks
> Costas
> 
>> On Sep 18, 2016, at 8:51 PM, Russ Combs (rucombs)
>> <rucombs at ...5...> wrote:
>> 
>> FYI
>> 
>> -------- Forwarded Message --------
>> 
>> SUBJECT:
>> [Snort-users] Appid question
>> 
>> DATE:
>> Sun, 18 Sep 2016 18:44:41 -0600
>> 
>> FROM:
>> James Lay <jlay at ...45...>
>> 
>> REPLY-TO:
>> jlay at ...45...
>> 
>> TO:
>> Snort <snort-users at lists.sourceforge.net>
>> 
>> Hey all,
>> 
>> This afternoon I found myself mucking around with appid.  I love
>> appid.  Right now it is only accompanying IDS hits.  I was wondering
>> if anyone has put something in place that makes appid almost like
>> a....I want to say netflow, but not quite.  I envision an app
>> reading the appid.u2 file and dumping it to Elasticsearch.  But
>> instead of having only IDS hits, I'd like to try and have snort
>> simply monitor and appid alert all traffic it sees.  Has anyone done
>> anything like this?  Thanks.
>> 
>> James <Attached Message Part.txt><Attached Message Part.txt>




More information about the Snort-openappid mailing list