[Snort-openappid] [Snort-users] Appid question

James Lay jlay at ...45...
Mon Sep 19 11:28:23 EDT 2016


Ah...ok well first +1 to that enhancement :)  So now, how do I emulate 
that via a snort rule(s)?  Something like this:

any any -> any any tcp

seems silly :D  My hope is to log the stream/flow, not single packets or 
specific payloads.  Thanks again Costas.

James

On 2016-09-19 09:23, Costas Kleopa (ckleopa) wrote:
> No unfortunately that is an enhancement we currently don’t support.
> 
> We already have this in our roadmap but I am not sure in what release
> this will be available.
> 
> Thanks
> Costas
> 
>> On Sep 19, 2016, at 11:19 AM, James Lay <jlay at ...45...> 
>> wrote:
>> 
>> Thanks Costas,
>> 
>> You know I looked at the appid-stats log:
>> 
>> statTime="1474267800",appName="Mobile
>> Safari",txBytes="9808",rxBytes="9012"
>> statTime="1474267800",appName="Squid",txBytes="9808",rxBytes="9012"
>> statTime="1474267800",appName="__unknown",txBytes="7220",rxBytes="4020"
>> 
>> This is cool, but doesn't give me a source/destination.  I looked at 
>> the
>> video though and that was good information.  Is there something I'm
>> missing from the appid config that will show me source and 
>> destination?
>> Thank you!
>> 
>> James
>> 
>> On 2016-09-19 09:07, Costas Kleopa (ckleopa) wrote:
>>> Adding the openappid snort list.
>>> 
>>> James, you’re probably looking for something like this training
>>> video.
>>> 
>>> http://blog.snort.org/2014/07/openappid-training-videos-integration.html
>>> 
>>> 
>>> In there it’s including some instructions on how to use the
>>> app-stats logs and get them exported using the u2streamer utility we
>>> have developed for this feature.
>>> 
>>> Thanks
>>> Costas
>>> 
>>>> On Sep 18, 2016, at 8:51 PM, Russ Combs (rucombs)
>>>> <rucombs at ...5...> wrote:
>>>> 
>>>> FYI
>>>> 
>>>> -------- Forwarded Message --------
>>>> 
>>>> SUBJECT:
>>>> [Snort-users] Appid question
>>>> 
>>>> DATE:
>>>> Sun, 18 Sep 2016 18:44:41 -0600
>>>> 
>>>> FROM:
>>>> James Lay <jlay at ...45...>
>>>> 
>>>> REPLY-TO:
>>>> jlay at ...45...
>>>> 
>>>> TO:
>>>> Snort <snort-users at lists.sourceforge.net>
>>>> 
>>>> Hey all,
>>>> 
>>>> This afternoon I found myself mucking around with appid.  I love
>>>> appid.  Right now it is only accompanying IDS hits.  I was wondering
>>>> if anyone has put something in place that makes appid almost like
>>>> a....I want to say netflow, but not quite.  I envision an app
>>>> reading the appid.u2 file and dumping it to Elasticsearch.  But
>>>> instead of having only IDS hits, I'd like to try and have snort
>>>> simply monitor and appid alert all traffic it sees.  Has anyone done
>>>> anything like this?  Thanks.
>>>> 
>>>> James <Attached Message Part.txt><Attached Message Part.txt>
>> 
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Snort-openappid mailing list
>> Snort-openappid at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-openappid
>> 
>> Please visit http://blog.snort.org to stay current on all the latest 
>> Snort news!




More information about the Snort-openappid mailing list