[Snort-openappid] [Snort-users] Appid question

Costas Kleopa (ckleopa) ckleopa at ...5...
Mon Sep 19 11:38:35 EDT 2016


We have visited this before on the “[Snort-openappid] Snort appid flow logging” thread which we gave some suggestions like these:

alert tcp any any -> any any (msg:"ssh start"; flow:established; appid:ssh,  flowbits:isnotset,sof; flowbits:  set,sof; sid: 1; )

alert tcp any any -> any any (msg:”ssh finish”; flow:established; flags:*FR; flowbits:isset,sof;   flowbits:isnotset,eof; flowbits:set,eof; sid:2; )

Hopefully those would help you get what you’re looking for.

Thanks
Costas

On Sep 19, 2016, at 11:28 AM, James Lay <jlay at ...45...<mailto:jlay at ...45...>> wrote:

Ah...ok well first +1 to that enhancement :)  So now, how do I emulate that via a snort rule(s)?  Something like this:

any any -> any any tcp

seems silly :D  My hope is to log the stream/flow, not single packets or specific payloads.  Thanks again Costas.

James

On 2016-09-19 09:23, Costas Kleopa (ckleopa) wrote:
No unfortunately that is an enhancement we currently don’t support.
We already have this in our roadmap but I am not sure in what release
this will be available.
Thanks
Costas
On Sep 19, 2016, at 11:19 AM, James Lay <jlay at ...45...<mailto:jlay at ...45...>> wrote:
Thanks Costas,
You know I looked at the appid-stats log:
statTime="1474267800",appName="Mobile
Safari",txBytes="9808",rxBytes="9012"
statTime="1474267800",appName="Squid",txBytes="9808",rxBytes="9012"
statTime="1474267800",appName="__unknown",txBytes="7220",rxBytes="4020"
This is cool, but doesn't give me a source/destination.  I looked at the
video though and that was good information.  Is there something I'm
missing from the appid config that will show me source and destination?
Thank you!
James
On 2016-09-19 09:07, Costas Kleopa (ckleopa) wrote:
Adding the openappid snort list.
James, you’re probably looking for something like this training
video.
http://blog.snort.org/2014/07/openappid-training-videos-integration.html
In there it’s including some instructions on how to use the
app-stats logs and get them exported using the u2streamer utility we
have developed for this feature.
Thanks
Costas
On Sep 18, 2016, at 8:51 PM, Russ Combs (rucombs)
<rucombs at ...5...> wrote:
FYI
-------- Forwarded Message --------
SUBJECT:
[Snort-users] Appid question
DATE:
Sun, 18 Sep 2016 18:44:41 -0600
FROM:
James Lay <jlay at ...45...>
REPLY-TO:
jlay at ...45...
TO:
Snort <snort-users at lists.sourceforge.net>
Hey all,
This afternoon I found myself mucking around with appid.  I love
appid.  Right now it is only accompanying IDS hits.  I was wondering
if anyone has put something in place that makes appid almost like
a....I want to say netflow, but not quite.  I envision an app
reading the appid.u2 file and dumping it to Elasticsearch.  But
instead of having only IDS hits, I'd like to try and have snort
simply monitor and appid alert all traffic it sees.  Has anyone done
anything like this?  Thanks.
James <Attached Message Part.txt><Attached Message Part.txt>
------------------------------------------------------------------------------
_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net<mailto:Snort-openappid at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-openappid
Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20160919/4ddfae18/attachment.html>


More information about the Snort-openappid mailing list