[Snort-openappid] [Snort-users] Appid question

Costas Kleopa (ckleopa) ckleopa at ...5...
Mon Sep 19 11:38:35 EDT 2016

We have visited this before on the “[Snort-openappid] Snort appid flow logging” thread which we gave some suggestions like these:

alert tcp any any -> any any (msg:"ssh start"; flow:established; appid:ssh,  flowbits:isnotset,sof; flowbits:  set,sof; sid: 1; )

alert tcp any any -> any any (msg:”ssh finish”; flow:established; flags:*FR; flowbits:isset,sof;   flowbits:isnotset,eof; flowbits:set,eof; sid:2; )

Hopefully those would help you get what you’re looking for.


On Sep 19, 2016, at 11:28 AM, James Lay <jlay at ...45...<mailto:jlay at ...45...>> wrote:

Ah...ok well first +1 to that enhancement :)  So now, how do I emulate that via a snort rule(s)?  Something like this:

any any -> any any tcp

seems silly :D  My hope is to log the stream/flow, not single packets or specific payloads.  Thanks again Costas.


On 2016-09-19 09:23, Costas Kleopa (ckleopa) wrote:
No unfortunately that is an enhancement we currently don’t support.
We already have this in our roadmap but I am not sure in what release
this will be available.
On Sep 19, 2016, at 11:19 AM, James Lay <jlay at ...45...<mailto:jlay at ...45...>> wrote:
Thanks Costas,
You know I looked at the appid-stats log:
This is cool, but doesn't give me a source/destination.  I looked at the
video though and that was good information.  Is there something I'm
missing from the appid config that will show me source and destination?
Thank you!
On 2016-09-19 09:07, Costas Kleopa (ckleopa) wrote:
Adding the openappid snort list.
James, you’re probably looking for something like this training
In there it’s including some instructions on how to use the
app-stats logs and get them exported using the u2streamer utility we
have developed for this feature.
On Sep 18, 2016, at 8:51 PM, Russ Combs (rucombs)
<rucombs at ...5...> wrote:
-------- Forwarded Message --------
[Snort-users] Appid question
Sun, 18 Sep 2016 18:44:41 -0600
James Lay <jlay at ...45...>
jlay at ...45...
Snort <snort-users at lists.sourceforge.net>
Hey all,
This afternoon I found myself mucking around with appid.  I love
appid.  Right now it is only accompanying IDS hits.  I was wondering
if anyone has put something in place that makes appid almost like
a....I want to say netflow, but not quite.  I envision an app
reading the appid.u2 file and dumping it to Elasticsearch.  But
instead of having only IDS hits, I'd like to try and have snort
simply monitor and appid alert all traffic it sees.  Has anyone done
anything like this?  Thanks.
James <Attached Message Part.txt><Attached Message Part.txt>
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net<mailto:Snort-openappid at lists.sourceforge.net>
Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20160919/4ddfae18/attachment.html>

More information about the Snort-openappid mailing list