[Snort-openappid] [Snort-users] Appid question

James Lay jlay at ...45...
Mon Sep 19 12:41:42 EDT 2016


Thanks Russ.

A picture is worth a thousand words: 

ntopng does a smashing good job of layer 7 application identification. 
I want snort to do the same (I don't want to run ntopng JUST for l7 id)
:)  When I look at the appid-event which matches with Snort alerts I see
this: 

"(Event)",sensor_id="0",event_id="68",event_second="1474246449",event_microsecond="321074",sig_id="2000419",gen_id="1",revision="18",classification="33",priority="1",ip_source="8.254.230.174",ip_destination="192.168.1.89",src_port="80",dest_port="49757",protocol="6",impact_flag="0",blocked="0",mpls_label="0",vland_id="0",policy_id="0",appid="Microsoft
Update" 

This is nothing short of awesome.  Appid identified not just HTTP, but
Windows Updates.  Now...apply this across the board...every tcp session
gets identified and logged (not alerted) as shown for the MS update
above.  Every UDP session gets identified and logged like below: 

"(Event)",sensor_id="0",event_id="56",event_second="1474245787",event_microsecond="233164",sig_id="2016149",gen_id="1",revision="2",classification="9",priority="1",ip_source="192.168.1.101",ip_destination="69.171.255.36",src_port="40064",dest_port="3478",protocol="17",impact_flag="0",blocked="0",mpls_label="0",vland_id="0",policy_id="0",appid="STUN"


Maybe this isn't doable...maybe the overhead would just be too
much...not sure.  The end result of course is to match funky things like
seeing something other than HTTP over port 80...seeing data exfiltration
over udp port 53 and having snort's appid saying "unknown" as it's not
true dns protocol.   

Thanks again Russ! 

James

On 2016-09-19 10:16, Russ wrote: 

> James - what exactly are you looking for?  I will add to the Snort++ backlog.
> 
> On 9/19/16 11:28 AM, James Lay wrote: Ah...ok well first +1 to that enhancement :)  So now, how do I emulate
> that via a snort rule(s)?  Something like this:
> 
> any any -> any any tcp
> 
> seems silly :D  My hope is to log the stream/flow, not single packets or
> specific payloads.  Thanks again Costas.
> 
> James
> 
> On 2016-09-19 09:23, Costas Kleopa (ckleopa) wrote: No unfortunately that is an enhancement we currently don't support.
> 
> We already have this in our roadmap but I am not sure in what release
> this will be available.
> 
> Thanks
> Costas
> 
> On Sep 19, 2016, at 11:19 AM, James Lay <jlay at ...45...>
> wrote:
> 
> Thanks Costas,
> 
> You know I looked at the appid-stats log:
> 
> statTime="1474267800",appName="Mobile
> Safari",txBytes="9808",rxBytes="9012"
> statTime="1474267800",appName="Squid",txBytes="9808",rxBytes="9012"
> statTime="1474267800",appName="__unknown",txBytes="7220",rxBytes="4020"
> 
> This is cool, but doesn't give me a source/destination.  I looked at
> the
> video though and that was good information.  Is there something I'm
> missing from the appid config that will show me source and
> destination?
> Thank you!
> 
> James
> 
> On 2016-09-19 09:07, Costas Kleopa (ckleopa) wrote: Adding the openappid snort list.
> 
> James, you're probably looking for something like this training
> video.
> 
> http://blog.snort.org/2014/07/openappid-training-videos-integration.html
> 
> In there it's including some instructions on how to use the
> app-stats logs and get them exported using the u2streamer utility we
> have developed for this feature.
> 
> Thanks
> Costas
> 
> On Sep 18, 2016, at 8:51 PM, Russ Combs (rucombs)
> <rucombs at ...5...> wrote:
> 
> FYI
> 
> -------- Forwarded Message --------
> 
> SUBJECT:
> [Snort-users] Appid question
> 
> DATE:
> Sun, 18 Sep 2016 18:44:41 -0600
> 
> FROM:
> James Lay <jlay at ...45...>
> 
> REPLY-TO:
> jlay at ...45...
> 
> TO:
> Snort <snort-users at lists.sourceforge.net>
> 
> Hey all,
> 
> This afternoon I found myself mucking around with appid.  I love
> appid.  Right now it is only accompanying IDS hits.  I was wondering
> if anyone has put something in place that makes appid almost like
> a....I want to say netflow, but not quite.  I envision an app
> reading the appid.u2 file and dumping it to Elasticsearch.  But
> instead of having only IDS hits, I'd like to try and have snort
> simply monitor and appid alert all traffic it sees.  Has anyone done
> anything like this?  Thanks.
> 
> James <Attached Message Part.txt><Attached Message Part.txt>

------------------------------------------------------------------------------
_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please visit http://blog.snort.org to stay current on all the latest
Snort news!
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news! 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20160919/a0f3d5dc/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2016-09-19 10_22_18-New Dashboard - Dashboard - Kibana.jpg
Type: image/jpeg
Size: 88934 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20160919/a0f3d5dc/attachment.jpg>


More information about the Snort-openappid mailing list