Snort mailing list archives
Re: Appid question
From: Victor Roemer <viroemer () cisco com>
Date: Mon, 19 Sep 2016 11:47:00 -0400
On 9/19/16 11:10 AM, James Lay wrote:
I tried ustreamer for about 10 seconds for testing...it used 50% of the cpu so I said forget that ;) At the core I don't want to identify on packets, I want to identify on streams/flows. I feel this is a challenge for me :D And, I'm wanting to go direct to ElasticSearch. More to come as I research...please feel free all to pipe in..and thanks as usual YM!
+1 for ElasticSearch. I have a tool which you might find useful in your endeavor https://github.com/wtfbbqhax/u2json It was intended to be a way to feed unified2 events into ElasticSearch, but my progress stalled a while ago.
James On 2016-09-19 08:13, Y M wrote:Hi James, Does the ustreamer app fits what what you are trying to do? Note that the stats from appid are total bytes seen regardless of source/destination client/server as far as I know. The ustreamer app comes in [snort_install_path]/bin/ustreamer The out put is comma separated so it can be easily ingested through logstash/rsyslog. I will dig up more info once I get to a computer. YM Sent from Mobile On Mon, Sep 19, 2016 at 3:46 AM +0300, "James Lay" <jlay () slave-tothe-box net> wrote: Hey all, This afternoon I found myself mucking around with appid. I love appid. Right now it is only accompanying IDS hits. I was wondering if anyone has put something in place that makes appid almost like a....I want to say netflow, but not quite. I envision an app reading the appid.u2 file and dumping it to Elasticsearch. But instead of having only IDS hits, I'd like to try and have snort simply monitor and appid alert all traffic it sees. Has anyone done anything like this? Thanks. James------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Appid question James Lay (Sep 18)
- Re: Appid question Y M (Sep 19)
- Re: Appid question James Lay (Sep 19)
- Re: Appid question Victor Roemer (Sep 19)
- Re: Appid question James Lay (Sep 19)
- Re: Appid question James Lay (Sep 19)
- Re: Appid question Y M (Sep 19)
- Message not available
- Message not available
- Re: Appid question James Lay (Sep 19)
- Message not available
- Re: [Snort-openappid] Appid question James Lay (Sep 19)
- Re: [Snort-openappid] Appid question Russ (Sep 19)
- Re: [Snort-openappid] Appid question James Lay (Sep 19)
- Re: [Snort-openappid] Appid question Russ (Sep 19)
- Message not available