[Snort-openappid] [Snort-users] Appid question

Russ rucombs at ...5...
Mon Sep 19 12:16:31 EDT 2016


James - what exactly are you looking for?  I will add to the Snort++ 
backlog.

On 9/19/16 11:28 AM, James Lay wrote:
> Ah...ok well first +1 to that enhancement :)  So now, how do I emulate
> that via a snort rule(s)?  Something like this:
>
> any any -> any any tcp
>
> seems silly :D  My hope is to log the stream/flow, not single packets or
> specific payloads.  Thanks again Costas.
>
> James
>
> On 2016-09-19 09:23, Costas Kleopa (ckleopa) wrote:
>> No unfortunately that is an enhancement we currently don’t support.
>>
>> We already have this in our roadmap but I am not sure in what release
>> this will be available.
>>
>> Thanks
>> Costas
>>
>>> On Sep 19, 2016, at 11:19 AM, James Lay <jlay at ...45...>
>>> wrote:
>>>
>>> Thanks Costas,
>>>
>>> You know I looked at the appid-stats log:
>>>
>>> statTime="1474267800",appName="Mobile
>>> Safari",txBytes="9808",rxBytes="9012"
>>> statTime="1474267800",appName="Squid",txBytes="9808",rxBytes="9012"
>>> statTime="1474267800",appName="__unknown",txBytes="7220",rxBytes="4020"
>>>
>>> This is cool, but doesn't give me a source/destination.  I looked at
>>> the
>>> video though and that was good information.  Is there something I'm
>>> missing from the appid config that will show me source and
>>> destination?
>>> Thank you!
>>>
>>> James
>>>
>>> On 2016-09-19 09:07, Costas Kleopa (ckleopa) wrote:
>>>> Adding the openappid snort list.
>>>>
>>>> James, you’re probably looking for something like this training
>>>> video.
>>>>
>>>> http://blog.snort.org/2014/07/openappid-training-videos-integration.html
>>>>
>>>>
>>>> In there it’s including some instructions on how to use the
>>>> app-stats logs and get them exported using the u2streamer utility we
>>>> have developed for this feature.
>>>>
>>>> Thanks
>>>> Costas
>>>>
>>>>> On Sep 18, 2016, at 8:51 PM, Russ Combs (rucombs)
>>>>> <rucombs at ...5...> wrote:
>>>>>
>>>>> FYI
>>>>>
>>>>> -------- Forwarded Message --------
>>>>>
>>>>> SUBJECT:
>>>>> [Snort-users] Appid question
>>>>>
>>>>> DATE:
>>>>> Sun, 18 Sep 2016 18:44:41 -0600
>>>>>
>>>>> FROM:
>>>>> James Lay <jlay at ...45...>
>>>>>
>>>>> REPLY-TO:
>>>>> jlay at ...45...
>>>>>
>>>>> TO:
>>>>> Snort <snort-users at lists.sourceforge.net>
>>>>>
>>>>> Hey all,
>>>>>
>>>>> This afternoon I found myself mucking around with appid.  I love
>>>>> appid.  Right now it is only accompanying IDS hits.  I was wondering
>>>>> if anyone has put something in place that makes appid almost like
>>>>> a....I want to say netflow, but not quite.  I envision an app
>>>>> reading the appid.u2 file and dumping it to Elasticsearch.  But
>>>>> instead of having only IDS hits, I'd like to try and have snort
>>>>> simply monitor and appid alert all traffic it sees.  Has anyone done
>>>>> anything like this?  Thanks.
>>>>>
>>>>> James <Attached Message Part.txt><Attached Message Part.txt>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> Snort-openappid mailing list
>>> Snort-openappid at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-openappid
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-openappid mailing list