[Snort-openappid] [Snort-users] Appid question

Costas Kleopa (ckleopa) ckleopa at ...5...
Mon Sep 19 11:23:00 EDT 2016


No unfortunately that is an enhancement we currently don’t support. 

We already have this in our roadmap but I am not sure in what release this will be available.

Thanks
Costas

> On Sep 19, 2016, at 11:19 AM, James Lay <jlay at ...45...> wrote:
> 
> Thanks Costas,
> 
> You know I looked at the appid-stats log:
> 
> statTime="1474267800",appName="Mobile 
> Safari",txBytes="9808",rxBytes="9012"
> statTime="1474267800",appName="Squid",txBytes="9808",rxBytes="9012"
> statTime="1474267800",appName="__unknown",txBytes="7220",rxBytes="4020"
> 
> This is cool, but doesn't give me a source/destination.  I looked at the 
> video though and that was good information.  Is there something I'm 
> missing from the appid config that will show me source and destination?  
> Thank you!
> 
> James
> 
> On 2016-09-19 09:07, Costas Kleopa (ckleopa) wrote:
>> Adding the openappid snort list.
>> 
>> James, you’re probably looking for something like this training
>> video.
>> 
>> http://blog.snort.org/2014/07/openappid-training-videos-integration.html
>> 
>> 
>> In there it’s including some instructions on how to use the
>> app-stats logs and get them exported using the u2streamer utility we
>> have developed for this feature.
>> 
>> Thanks
>> Costas
>> 
>>> On Sep 18, 2016, at 8:51 PM, Russ Combs (rucombs)
>>> <rucombs at ...5...> wrote:
>>> 
>>> FYI
>>> 
>>> -------- Forwarded Message --------
>>> 
>>> SUBJECT:
>>> [Snort-users] Appid question
>>> 
>>> DATE:
>>> Sun, 18 Sep 2016 18:44:41 -0600
>>> 
>>> FROM:
>>> James Lay <jlay at ...45...>
>>> 
>>> REPLY-TO:
>>> jlay at ...45...
>>> 
>>> TO:
>>> Snort <snort-users at lists.sourceforge.net>
>>> 
>>> Hey all,
>>> 
>>> This afternoon I found myself mucking around with appid.  I love
>>> appid.  Right now it is only accompanying IDS hits.  I was wondering
>>> if anyone has put something in place that makes appid almost like
>>> a....I want to say netflow, but not quite.  I envision an app
>>> reading the appid.u2 file and dumping it to Elasticsearch.  But
>>> instead of having only IDS hits, I'd like to try and have snort
>>> simply monitor and appid alert all traffic it sees.  Has anyone done
>>> anything like this?  Thanks.
>>> 
>>> James <Attached Message Part.txt><Attached Message Part.txt>
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-openappid mailing list
> Snort-openappid at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-openappid
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!



More information about the Snort-openappid mailing list