<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
We have s video/demo on how we have used u2streamer in the following Blog.
<div class=""><br class="">
</div>
<div class=""><a href="http://blog.snort.org/2014/07/openappid-training-videos-integration.html" class="">OpenAppID Training Videos: Integration with Splunk</a></div>
<div class=""><br class="">
</div>
<div class="">That should give a better explanation on how u2streamer works there.</div>
<div class=""><br class="">
</div>
<div class="">Thanks</div>
<div class="">Costas</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Sep 2, 2015, at 9:24 AM, C. L. Martinez <<a href="mailto:carlopmart@...8..." class="">carlopmart@...8...</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">Hi all,<br class="">
<br class="">
I have enabled openappid in my snort host using the following config:<br class="">
<br class="">
preprocessor appid: app_detector_dir /data/config/etc/idpsnort/common, \<br class="">
  app_stats_filename appid.log, app_stats_period 60, memcap 134217728<br class="">
<br class="">
and adding "appid_event_types" to output unified2. I can see catched<br class="">
apps in appid.log's files like:<br class="">
<br class="">
statTime="1441199700",appName="ldap",txBytes="6966",rxBytes="4588"<br class="">
statTime="1441199700",appName="netbios-ssn",txBytes="40440",rxBytes="22780"<br class="">
statTime="1441199700",appName="ssl",txBytes="26962",rxBytes="15450"<br class="">
statTime="1441199700",appName="tds",txBytes="124129",rxBytes="195674"<br class="">
statTime="1441199700",appName="https",txBytes="36059",rxBytes="241232"<br class="">
statTime="1441199700",appName="ssl_client",txBytes="11960",rxBytes="14010"<br class="">
statTime="1441199700",appName="rubicon_project",txBytes="11960",rxBytes="14010"<br class="">
statTime="1441199700",appName="dce_endpoint_re",txBytes="1912",rxBytes="1680"<br class="">
statTime="1441199760",appName="flickr",txBytes="3842",rxBytes="28280"<br class="">
statTime="1441199760",appName="ftp",txBytes="7248",rxBytes="6466"<br class="">
statTime="1441199760",appName="mapi",txBytes="8914",rxBytes="7326"<br class="">
statTime="1441199760",appName="ldp",txBytes="216674",rxBytes="6132"<br class="">
statTime="1441199760",appName="dns",txBytes="1260",rxBytes="3628"<br class="">
statTime="1441199760",appName="kerberos",txBytes="19138",rxBytes="9814"<br class="">
statTime="1441199760",appName="ldap",txBytes="86081",rxBytes="109207"<br class="">
statTime="1441199760",appName="netbios-ssn",txBytes="208458",rxBytes="339704"<br class="">
statTime="1441199760",appName="smtp",txBytes="6782",rxBytes="2580"<br class="">
statTime="1441199760",appName="ssl",txBytes="147194",rxBytes="939822"<br class="">
statTime="1441199760",appName="tds",txBytes="1242487",rxBytes="4028056"<br class="">
statTime="1441199760",appName="https",txBytes="68706",rxBytes="286836"<br class="">
statTime="1441199760",appName="ssl_client",txBytes="27540",rxBytes="112998"<br class="">
statTime="1441199760",appName="microsoft",txBytes="4206",rxBytes="9884"<br class="">
statTime="1441199760",appName="google_accounts",txBytes="1548",rxBytes="9810"<br class="">
statTime="1441199760",appName="yahoo_login",txBytes="17944",rxBytes="65024"<br class="">
statTime="1441199760",appName="dce_endpoint_re",txBytes="18642",rxBytes="16248"<br class="">
statTime="1441199760",appName="microsoft_globa",txBytes="5960",rxBytes="3728"<br class="">
statTime="1441198560",appName="https",txBytes="549134",rxBytes="983710"<br class="">
statTime="1441198560",appName="ssl_client",txBytes="549134",rxBytes="983710"<br class="">
statTime="1441198560",appName="microsoft",txBytes="549134",rxBytes="983710"<br class="">
<br class="">
I have the following logs inside inside logdir:<br class="">
<br class="">
root@...101...:/nsm/logs/idpsnort01# ls -al<br class="">
total 560<br class="">
drwxr-xr-x 2 root root   4096 Sep  2 13:18 .<br class="">
drwxr-xr-x 4 root root     43 Sep  1 14:09 ..<br class="">
-rw-r----- 1 root root 186944 Sep  2 12:39 appid.log.1441191600<br class="">
-rw-r----- 1 root root   4128 Sep  2 12:53 appid.log.1441198260<br class="">
-rw-r----- 1 root root  38160 Sep  2 13:21 appid.log.1441198500<br class="">
-rw-r--r-- 1 root root      0 Sep  2 10:58 fast.log<br class="">
-rw-r--r-- 1 root root      0 Sep  2 10:58 full.log<br class="">
-rw-r----- 1 root root  18535 Sep  2 12:53 preprocs_20-avg_stats.log<br class="">
-rw-r----- 1 root root   6780 Sep  2 12:53 rules_25-total_stats.log<br class="">
-rw-r----- 1 root root 256646 Sep  2 13:21 scans.log<br class="">
-rw-rw-rw- 1 root root  26164 Sep  2 13:19 snort.stats<br class="">
-rw------- 1 root root    256 Sep  2 13:18 tt.log.bookmark<br class="">
-rw-r----- 1 root root      0 Sep  2 10:59 unified2.alert.1441191572<br class="">
-rw-r----- 1 root root      0 Sep  2 12:43 unified2.alert.1441197780<br class="">
-rw-r----- 1 root root      0 Sep  2 12:47 unified2.alert.1441198044<br class="">
-rw-r----- 1 root root      0 Sep  2 12:50 unified2.alert.1441198255<br class="">
-rw-r----- 1 root root      0 Sep  2 12:54 unified2.alert.1441198463<br class="">
<br class="">
appid.log.xxxxxx are generated by openappid preprocesor. But when I<br class="">
run u2streamer:<br class="">
<br class="">
root@...101...:/nsm/logs/idpsnort01# u2streamer<br class="">
--path=/nsm/logs/idpsnort01 --name=tt.log<br class="">
Looking with timestamp: 0<br class="">
<br class="">
No log is generated ...<br class="">
<br class="">
Where am I doing the mistake?? Or is it necessary to create an alert<br class="">
rule for every appid for u2streamer to work??<br class="">
<br class="">
Thanks.<br class="">
<br class="">
------------------------------------------------------------------------------<br class="">
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!<br class="">
Get real-time metrics from all of your servers, apps and tools<br class="">
in one place.<br class="">
SourceForge users - Click here to start your Free Trial of Datadog now!<br class="">
<a href="http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140" class="">http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140</a><br class="">
_______________________________________________<br class="">
Snort-openappid mailing list<br class="">
Snort-openappid@lists.sourceforge.net<br class="">
https://lists.sourceforge.net/lists/listinfo/snort-openappid<br class="">
<br class="">
Please visit http://blog.snort.org to stay current on all the latest Snort news!<br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</body>
</html>