[Snort-openappid] [Snort-users] Appid question

Russ rucombs at ...5...
Mon Sep 19 13:40:07 EDT 2016


Cool - thanks James.

On 9/19/16 12:41 PM, James Lay wrote:
> Thanks Russ.
>
> A picture is worth a thousand words:
> ntopng does a smashing good job of layer 7 application identification. 
>  I want snort to do the same (I don't want to run ntopng JUST for l7 
> id) :)  When I look at the appid-event which matches with Snort alerts 
> I see this:
> "(Event)",sensor_id="0",event_id="68",event_second="1474246449",event_microsecond="321074",sig_id="2000419",gen_id="1",revision="18",classification="33",priority="1",ip_source="8.254.230.174",ip_destination="192.168.1.89",src_port="80",dest_port="49757",protocol="6",impact_flag="0",blocked="0",mpls_label="0",vland_id="0",policy_id="0",appid="Microsoft 
> Update"
> This is nothing short of awesome.  Appid identified not just HTTP, but 
> Windows Updates.  Now...apply this across the board...every tcp 
> session gets identified and logged (not alerted) as shown for the MS 
> update above.  Every UDP session gets identified and logged like below:
> "(Event)",sensor_id="0",event_id="56",event_second="1474245787",event_microsecond="233164",sig_id="2016149",gen_id="1",revision="2",classification="9",priority="1",ip_source="192.168.1.101",ip_destination="69.171.255.36",src_port="40064",dest_port="3478",protocol="17",impact_flag="0",blocked="0",mpls_label="0",vland_id="0",policy_id="0",appid="STUN"
> Maybe this isn't doable...maybe the overhead would just be too 
> much...not sure.  The end result of course is to match funky things 
> like seeing something other than HTTP over port 80...seeing data 
> exfiltration over udp port 53 and having snort's appid saying 
> "unknown" as it's not true dns protocol.
> Thanks again Russ!
> James
>
> On 2016-09-19 10:16, Russ wrote:
>> James - what exactly are you looking for?  I will add to the Snort++ 
>> backlog.
>>
>> On 9/19/16 11:28 AM, James Lay wrote:
>>> Ah...ok well first +1 to that enhancement :)  So now, how do I emulate
>>> that via a snort rule(s)?  Something like this:
>>>
>>> any any -> any any tcp
>>>
>>> seems silly :D  My hope is to log the stream/flow, not single packets or
>>> specific payloads.  Thanks again Costas.
>>>
>>> James
>>>
>>> On 2016-09-19 09:23, Costas Kleopa (ckleopa) wrote:
>>>> No unfortunately that is an enhancement we currently don’t support.
>>>>
>>>> We already have this in our roadmap but I am not sure in what release
>>>> this will be available.
>>>>
>>>> Thanks
>>>> Costas
>>>>
>>>>> On Sep 19, 2016, at 11:19 AM, James Lay <jlay at ...45... 
>>>>> <mailto:jlay at ...45...>>
>>>>> wrote:
>>>>>
>>>>> Thanks Costas,
>>>>>
>>>>> You know I looked at the appid-stats log:
>>>>>
>>>>> statTime="1474267800",appName="Mobile
>>>>> Safari",txBytes="9808",rxBytes="9012"
>>>>> statTime="1474267800",appName="Squid",txBytes="9808",rxBytes="9012"
>>>>> statTime="1474267800",appName="__unknown",txBytes="7220",rxBytes="4020"
>>>>>
>>>>> This is cool, but doesn't give me a source/destination.  I looked at
>>>>> the
>>>>> video though and that was good information.  Is there something I'm
>>>>> missing from the appid config that will show me source and
>>>>> destination?
>>>>> Thank you!
>>>>>
>>>>> James
>>>>>
>>>>> On 2016-09-19 09:07, Costas Kleopa (ckleopa) wrote:
>>>>>> Adding the openappid snort list.
>>>>>>
>>>>>> James, you’re probably looking for something like this training
>>>>>> video.
>>>>>>
>>>>>> http://blog.snort.org/2014/07/openappid-training-videos-integration.html
>>>>>>
>>>>>>
>>>>>> In there it’s including some instructions on how to use the
>>>>>> app-stats logs and get them exported using the u2streamer utility we
>>>>>> have developed for this feature.
>>>>>>
>>>>>> Thanks
>>>>>> Costas
>>>>>>
>>>>>>> On Sep 18, 2016, at 8:51 PM, Russ Combs (rucombs)
>>>>>>> <rucombs at ...5... <mailto:rucombs at ...5...>> wrote:
>>>>>>>
>>>>>>> FYI
>>>>>>>
>>>>>>> -------- Forwarded Message --------
>>>>>>>
>>>>>>> SUBJECT:
>>>>>>> [Snort-users] Appid question
>>>>>>>
>>>>>>> DATE:
>>>>>>> Sun, 18 Sep 2016 18:44:41 -0600
>>>>>>>
>>>>>>> FROM:
>>>>>>> James Lay <jlay at ...45... 
>>>>>>> <mailto:jlay at ...45...>>
>>>>>>>
>>>>>>> REPLY-TO:
>>>>>>> jlay at ...45... <mailto:jlay at ...45...>
>>>>>>>
>>>>>>> TO:
>>>>>>> Snort <snort-users at lists.sourceforge.net 
>>>>>>> <mailto:snort-users at lists.sourceforge.net>>
>>>>>>>
>>>>>>> Hey all,
>>>>>>>
>>>>>>> This afternoon I found myself mucking around with appid.  I love
>>>>>>> appid.  Right now it is only accompanying IDS hits.  I was wondering
>>>>>>> if anyone has put something in place that makes appid almost like
>>>>>>> a....I want to say netflow, but not quite.  I envision an app
>>>>>>> reading the appid.u2 file and dumping it to Elasticsearch.  But
>>>>>>> instead of having only IDS hits, I'd like to try and have snort
>>>>>>> simply monitor and appid alert all traffic it sees.  Has anyone done
>>>>>>> anything like this?  Thanks.
>>>>>>>
>>>>>>> James <Attached Message Part.txt><Attached Message Part.txt>
>>>>> ------------------------------------------------------------------------------
>>>>> _______________________________________________
>>>>> Snort-openappid mailing list
>>>>> Snort-openappid at lists.sourceforge.net 
>>>>> <mailto:Snort-openappid at lists.sourceforge.net>
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-openappid
>>>>>
>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>> Snort news!
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net 
>>> <mailto:Snort-users at lists.sourceforge.net>
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest 
>>> Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20160919/67798db6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 88934 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20160919/67798db6/attachment.jpe>


More information about the Snort-openappid mailing list