Re: Appid question

[Y M <snort () outlook com>]

Hi James,

Does the ustreamer app fits what what you are trying to do? Note that the stats from appid are total bytes seen 
regardless of source/destination client/server as far as I know.

The ustreamer app comes in [snort_install_path]/bin/ustreamer

The out put is comma separated so it can be easily ingested through logstash/rsyslog. I will dig up more info once I 
get to a computer.

YM

Sent from Mobile




On Mon, Sep 19, 2016 at 3:46 AM +0300, "James Lay" <jlay () slave-tothe-box net<mailto:jlay () slave-tothe-box net>> 
wrote:

Hey all,

This afternoon I found myself mucking around with appid.  I love appid.  Right now it is only accompanying IDS hits.  I 
was wondering if anyone has put something in place that makes appid almost like a....I want to say netflow, but not 
quite.  I envision an app reading the appid.u2 file and dumping it to Elasticsearch.  But instead of having only IDS 
hits, I'd like to try and have snort simply monitor and appid alert all traffic it sees.  Has anyone done anything like 
this?  Thanks.

James

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!