[Snort-users] Open App Id

valentin.giraud at ...17480... valentin.giraud at ...17480...
Mon Apr 4 05:07:16 EDT 2016


Hi snort community,

I am currently trying to write some detectors in lua for App Id.
But there is 2 or 3 things that i need your help to understand.
- In what way can i use the "appMapping.data"? Because i wrote some 
detector lua and they work without using it...
- There is a lot of app that are not working really well, e.g when i go 
on "www.facebook.com" it works only time to time...  Have you any idea ?
- I have a lot of DNS and __unknown AppName, do you have any idea, where 
it could come from ?

examples of a session:

********
statTime="1459759980",appName="Firefox",txBytes="1125",rxBytes="1524"
statTime="1459759980",appName="HTTP",txBytes="1125",rxBytes="1524"
statTime="1459759980",appName="dayumBen",txBytes="1125",rxBytes="1524"
statTime="1459759050",appName="DNS",txBytes="492",rxBytes="861"
statTime="1459759070",appName="DNS",txBytes="553",rxBytes="1163"
statTime="1459759190",appName="Firefox",txBytes="5600",rxBytes="12378"
statTime="1459759190",appName="HTTP",txBytes="5600",rxBytes="12378"
statTime="1459759190",appName="Squid",txBytes="5600",rxBytes="12378"
statTime="1459759080",appName="DNS",txBytes="1296",rxBytes="2201"
statTime="1459759090",appName="DNS",txBytes="219",rxBytes="396"
statTime="1459759180",appName="Firefox",txBytes="14961",rxBytes="17045"
statTime="1459759180",appName="HTTP",txBytes="14961",rxBytes="17045"
statTime="1459759180",appName="Google 
Maps",txBytes="4340",rxBytes="6894"
statTime="1459759180",appName="Bing Maps",txBytes="7549",rxBytes="7607"
statTime="1459759190",appName="Google 
APIs",txBytes="5864",rxBytes="8620"
statTime="1459759190",appName="Firefox",txBytes="35136",rxBytes="37202"
statTime="1459759190",appName="HTTP",txBytes="35136",rxBytes="37202"
statTime="1459759190",appName="Google 
Maps",txBytes="6535",rxBytes="3886"
statTime="1459759190",appName="Bing 
Maps",txBytes="11167",rxBytes="12360"
statTime="1459759190",appName="Google 
APIs",txBytes="3903",rxBytes="3202"
statTime="1459759190",appName="Firefox",txBytes="3903",rxBytes="3202"
statTime="1459759190",appName="HTTP",txBytes="3903",rxBytes="3202"
statTime="1459759150",appName="DNS",txBytes="1299",rxBytes="2095"
statTime="1459758980",appName="__unknown",txBytes="100",rxBytes="160"
statTime="1459759160",appName="DNS",txBytes="219",rxBytes="396"

************

Valentin.




More information about the Snort-users mailing list