[Snort-openappid] [Snort-users] Appid question

James Lay jlay at ...45...
Mon Sep 19 11:40:32 EDT 2016


Awesome...thanks so much Costas.

James

On 2016-09-19 09:38, Costas Kleopa (ckleopa) wrote:
> We have visited this before on the “[Snort-openappid] Snort appid
> flow logging” thread which we gave some suggestions like these:
> 
> alert tcp any any -> any any (msg:"ssh start"; flow:established;
> appid:ssh,  flowbits:isnotset,sof; flowbits:  set,sof; sid: 1; )
> 
> alert tcp any any -> any any (msg:”ssh finish”; flow:established;
> flags:*FR; flowbits:isset,sof;   flowbits:isnotset,eof;
> flowbits:set,eof; sid:2; )
> 
> Hopefully those would help you get what you’re looking for.
> 
> Thanks
> Costas
> 
>> On Sep 19, 2016, at 11:28 AM, James Lay <jlay at ...45...>
>> wrote:
>> 
>> Ah...ok well first +1 to that enhancement :)  So now, how do I
>> emulate that via a snort rule(s)?  Something like this:
>> 
>> any any -> any any tcp
>> 
>> seems silly :D  My hope is to log the stream/flow, not single
>> packets or specific payloads.  Thanks again Costas.
>> 
>> James
>> 
>> On 2016-09-19 09:23, Costas Kleopa (ckleopa) wrote:
>> No unfortunately that is an enhancement we currently don’t
>> support.
>> We already have this in our roadmap but I am not sure in what
>> release
>> this will be available.
>> Thanks
>> Costas
>> On Sep 19, 2016, at 11:19 AM, James Lay <jlay at ...45...>
>> wrote:
>> Thanks Costas,
>> You know I looked at the appid-stats log:
>> statTime="1474267800",appName="Mobile
>> Safari",txBytes="9808",rxBytes="9012"
>> statTime="1474267800",appName="Squid",txBytes="9808",rxBytes="9012"
>> 
> statTime="1474267800",appName="__unknown",txBytes="7220",rxBytes="4020"
>> This is cool, but doesn't give me a source/destination.  I looked at
>> the
>> video though and that was good information.  Is there something I'm
>> missing from the appid config that will show me source and
>> destination?
>> Thank you!
>> James
>> On 2016-09-19 09:07, Costas Kleopa (ckleopa) wrote:
>> Adding the openappid snort list.
>> James, you’re probably looking for something like this training
>> video.
>> 
> http://blog.snort.org/2014/07/openappid-training-videos-integration.html
>> In there it’s including some instructions on how to use the
>> app-stats logs and get them exported using the u2streamer utility we
>> have developed for this feature.
>> Thanks
>> Costas
>> On Sep 18, 2016, at 8:51 PM, Russ Combs (rucombs)
>> <rucombs at ...5...> wrote:
>> FYI
>> -------- Forwarded Message --------
>> SUBJECT:
>> [Snort-users] Appid question
>> DATE:
>> Sun, 18 Sep 2016 18:44:41 -0600
>> FROM:
>> James Lay <jlay at ...45...>
>> REPLY-TO:
>> jlay at ...45...
>> TO:
>> Snort <snort-users at lists.sourceforge.net>
>> Hey all,
>> This afternoon I found myself mucking around with appid.  I love
>> appid.  Right now it is only accompanying IDS hits.  I was wondering
>> if anyone has put something in place that makes appid almost like
>> a....I want to say netflow, but not quite.  I envision an app
>> reading the appid.u2 file and dumping it to Elasticsearch.  But
>> instead of having only IDS hits, I'd like to try and have snort
>> simply monitor and appid alert all traffic it sees.  Has anyone done
>> anything like this?  Thanks.
>> James <Attached Message Part.txt><Attached Message Part.txt>
>  
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-openappid mailing list
> Snort-openappid at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-openappid
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!




More information about the Snort-openappid mailing list