[Snort-openappid] [Snort-users] Appid question

James Lay jlay at ...45...
Mon Sep 19 20:32:24 EDT 2016


Ok so I'm close...I figured sessions originating from my network that
get established would be a good first shot:
alert tcp $HOME_NET any -> $EXTERNAL_NET any
(flow:to_server,established; sid:10000053)
alert udp $HOME_NET any -> $EXTERNAL_NET any
(flow:to_server,established; sid:10000054)
Unfortunately this generates a fair bit of alerts....79327 within a
couple hours on a very small home network.  Threshold/filtering won't
be a viable option as they are designed right now because they are time
based.  For this to work the threshold would need to be flow
based..."only alert on a new unique flow that gets established".  So
unless someone has any other idea, I'm about fresh out.  Thanks all.
James
On Mon, 2016-09-19 at 09:28 -0600, James Lay wrote:
> Ah...ok well first +1 to that enhancement :)  So now, how do I
> emulate 
> that via a snort rule(s)?  Something like this:
> 
> any any -> any any tcp
> 
> seems silly :D  My hope is to log the stream/flow, not single packets
> or 
> specific payloads.  Thanks again Costas.
> 
> James
> 
> On 2016-09-19 09:23, Costas Kleopa (ckleopa) wrote:
> > 
> > No unfortunately that is an enhancement we currently don’t support.
> > 
> > We already have this in our roadmap but I am not sure in what
> > release
> > this will be available.
> > 
> > Thanks
> > Costas
> > 
> > > 
> > > On Sep 19, 2016, at 11:19 AM, James Lay <jlay at ...45...
> > > > 
> > > wrote:
> > > 
> > > Thanks Costas,
> > > 
> > > You know I looked at the appid-stats log:
> > > 
> > > statTime="1474267800",appName="Mobile
> > > Safari",txBytes="9808",rxBytes="9012"
> > > statTime="1474267800",appName="Squid",txBytes="9808",rxBytes="901
> > > 2"
> > > statTime="1474267800",appName="__unknown",txBytes="7220",rxBytes=
> > > "4020"
> > > 
> > > This is cool, but doesn't give me a source/destination.  I looked
> > > at 
> > > the
> > > video though and that was good information.  Is there something
> > > I'm
> > > missing from the appid config that will show me source and 
> > > destination?
> > > Thank you!
> > > 
> > > James
> > > 
> > > On 2016-09-19 09:07, Costas Kleopa (ckleopa) wrote:
> > > > 
> > > > Adding the openappid snort list.
> > > > 
> > > > James, you’re probably looking for something like this training
> > > > video.
> > > > 
> > > > http://blog.snort.org/2014/07/openappid-training-videos-integra
> > > > tion.html
> > > > 
> > > > 
> > > > In there it’s including some instructions on how to use the
> > > > app-stats logs and get them exported using the u2streamer
> > > > utility we
> > > > have developed for this feature.
> > > > 
> > > > Thanks
> > > > Costas
> > > > 
> > > > > 
> > > > > On Sep 18, 2016, at 8:51 PM, Russ Combs (rucombs)
> > > > > <rucombs at ...5...> wrote:
> > > > > 
> > > > > FYI
> > > > > 
> > > > > -------- Forwarded Message --------
> > > > > 
> > > > > SUBJECT:
> > > > > [Snort-users] Appid question
> > > > > 
> > > > > DATE:
> > > > > Sun, 18 Sep 2016 18:44:41 -0600
> > > > > 
> > > > > FROM:
> > > > > James Lay <jlay at ...45...>
> > > > > 
> > > > > REPLY-TO:
> > > > > jlay at ...45...
> > > > > 
> > > > > TO:
> > > > > Snort <snort-users at lists.sourceforge.net>
> > > > > 
> > > > > Hey all,
> > > > > 
> > > > > This afternoon I found myself mucking around with appid.  I
> > > > > love
> > > > > appid.  Right now it is only accompanying IDS hits.  I was
> > > > > wondering
> > > > > if anyone has put something in place that makes appid almost
> > > > > like
> > > > > a....I want to say netflow, but not quite.  I envision an app
> > > > > reading the appid.u2 file and dumping it to
> > > > > Elasticsearch.  But
> > > > > instead of having only IDS hits, I'd like to try and have
> > > > > snort
> > > > > simply monitor and appid alert all traffic it sees.  Has
> > > > > anyone done
> > > > > anything like this?  Thanks.
> > > > > 
> > > > > James <Attached Message Part.txt><Attached Message Part.txt>
> > > ---------------------------------------------------------------
> > > ---------------
> > > _______________________________________________
> > > Snort-openappid mailing list
> > > Snort-openappid at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/snort-openappid
> > > 
> > > Please visit http://blog.snort.org to stay current on all the
> > > latest 
> > > Snort news!
> -------------------------------------------------------------------
> -----------
> _______________________________________________
> Snort-openappid mailing list
> Snort-openappid at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-openappid
> 
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20160919/7949eb44/attachment.html>


More information about the Snort-openappid mailing list