Snort mailing list archives
Re: [Snort-openappid] Appid question
From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 19 Sep 2016 09:28:23 -0600
Ah...ok well first +1 to that enhancement :) So now, how do I emulate that via a snort rule(s)? Something like this: any any -> any any tcp seems silly :D My hope is to log the stream/flow, not single packets or specific payloads. Thanks again Costas. James On 2016-09-19 09:23, Costas Kleopa (ckleopa) wrote:
No unfortunately that is an enhancement we currently don’t support. We already have this in our roadmap but I am not sure in what release this will be available. Thanks CostasOn Sep 19, 2016, at 11:19 AM, James Lay <jlay () slave-tothe-box net> wrote: Thanks Costas, You know I looked at the appid-stats log: statTime="1474267800",appName="Mobile Safari",txBytes="9808",rxBytes="9012" statTime="1474267800",appName="Squid",txBytes="9808",rxBytes="9012" statTime="1474267800",appName="__unknown",txBytes="7220",rxBytes="4020" This is cool, but doesn't give me a source/destination. I looked at the video though and that was good information. Is there something I'm missing from the appid config that will show me source and destination? Thank you! James On 2016-09-19 09:07, Costas Kleopa (ckleopa) wrote:Adding the openappid snort list. James, you’re probably looking for something like this training video. http://blog.snort.org/2014/07/openappid-training-videos-integration.html In there it’s including some instructions on how to use the app-stats logs and get them exported using the u2streamer utility we have developed for this feature. Thanks CostasOn Sep 18, 2016, at 8:51 PM, Russ Combs (rucombs) <rucombs () cisco com> wrote: FYI -------- Forwarded Message -------- SUBJECT: [Snort-users] Appid question DATE: Sun, 18 Sep 2016 18:44:41 -0600 FROM: James Lay <jlay () slave-tothe-box net> REPLY-TO: jlay () slave-tothe-box net TO: Snort <snort-users () lists sourceforge net> Hey all, This afternoon I found myself mucking around with appid. I love appid. Right now it is only accompanying IDS hits. I was wondering if anyone has put something in place that makes appid almost like a....I want to say netflow, but not quite. I envision an app reading the appid.u2 file and dumping it to Elasticsearch. But instead of having only IDS hits, I'd like to try and have snort simply monitor and appid alert all traffic it sees. Has anyone done anything like this? Thanks. James <Attached Message Part.txt><Attached Message Part.txt>------------------------------------------------------------------------------ _______________________________________________ Snort-openappid mailing list Snort-openappid () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-openappid Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Appid question James Lay (Sep 18)
- Re: Appid question Y M (Sep 19)
- Re: Appid question James Lay (Sep 19)
- Re: Appid question Victor Roemer (Sep 19)
- Re: Appid question James Lay (Sep 19)
- Re: Appid question James Lay (Sep 19)
- Re: Appid question Y M (Sep 19)
- Message not available
- Message not available
- Re: Appid question James Lay (Sep 19)
- Message not available
- Re: [Snort-openappid] Appid question James Lay (Sep 19)
- Re: [Snort-openappid] Appid question Russ (Sep 19)
- Re: [Snort-openappid] Appid question James Lay (Sep 19)
- Re: [Snort-openappid] Appid question Russ (Sep 19)
- Message not available