PfSense – Snort : Detectando protocolos usados en tu red con OpenAppID

javcasta

Hola.

Enlazando con el post:

pfSense–ntopng: Detectando protocolos usados en tu red con ndpiReader vía shell https://forum.pfsense.org/index.php?topic=120399.0

pfSense – snort : Detectando protocolos usados en tu red con OpenAppID

Ahora muestro cómo detectar protocolos de capa de aplicación (Layer 7) en pfSense con el paquete snort instalado con OpenAppID habilitado:

En Services > Snort > Global Settings. > Sourcefire OpenAppID Detectors: Habilitar:

Enable OpenAppID
    Click to enable download of Sourcefire OpenAppID Detectors

Salvar cambios y reiniciar el servicio Snort.
Tras un tiempo para que snort y OpenAppID recolecten datos, podremos mirar los protocolos detectados:

Vía GUI: En Services > Snort > Snort interfaces > Wan Logs > app-stats.log

Vía shell: Desde shell, con el comando: (target fichero: app-stats-log.MARCA-DE-TIEMPO )

u2openappid /var/log/snort/snort_em024285/app-stats.log.1478100006

[2.3.2-RELEASE][root@pfSense232a.localdomain]/: u2openappid /var/log/snort/snort_em024285/app-stats.log.1478100006
statTime="1478099700",appName="DNS",txBytes="174",rxBytes="218"
statTime="1478099700",appName="__unknown",txBytes="1727",rxBytes="5714"
statTime="1478099700",appName="__unknown",txBytes="2984",rxBytes="1168"
statTime="1478100000",appName="HTTPS",txBytes="1992",rxBytes="7017"
statTime="1478100000",appName="__unknown",txBytes="8065",rxBytes="2593"
statTime="1478100000",appName="__unknown",txBytes="336",rxBytes="402"
statTime="1478100300",appName="__unknown",txBytes="448",rxBytes="580"
statTime="1478100300",appName="__unknown",txBytes="224",rxBytes="224"
statTime="1478100600",appName="Google",txBytes="2692",rxBytes="5399"
statTime="1478100600",appName="HTTPS",txBytes="2692",rxBytes="5399"
statTime="1478100600",appName="SSL client",txBytes="2692",rxBytes="5399"
statTime="1478100600",appName="__unknown",txBytes="3471",rxBytes="770"
statTime="1478100600",appName="__unknown",txBytes="178",rxBytes="178"
statTime="1478100900",appName="Google",txBytes="2980",rxBytes="6172"
statTime="1478100900",appName="HTTPS",txBytes="2980",rxBytes="6172"
statTime="1478100900",appName="SSL client",txBytes="2980",rxBytes="6172"
statTime="1478100900",appName="__unknown",txBytes="1762",rxBytes="1395"
statTime="1478101200",appName="Google",txBytes="1238",rxBytes="5366"
statTime="1478101200",appName="Firefox",txBytes="761",rxBytes="2672"
statTime="1478101200",appName="Gmail",txBytes="3276",rxBytes="6218"
statTime="1478101200",appName="HTTP",txBytes="761",rxBytes="2672"
statTime="1478101200",appName="HTTPS",txBytes="6325",rxBytes="16093"
statTime="1478101200",appName="Mozilla",txBytes="1811",rxBytes="4509"
statTime="1478101200",appName="SSL client",txBytes="6325",rxBytes="16093"
statTime="1478101200",appName="GoDaddy",txBytes="761",rxBytes="2672"
statTime="1478101200",appName="__unknown",txBytes="1233",rxBytes="848"
statTime="1478101200",appName="Firefox",txBytes="1753",rxBytes="5116"
statTime="1478101200",appName="HTTP",txBytes="1753",rxBytes="5116"
statTime="1478101200",appName="HTTPS",txBytes="11131",rxBytes="76597"
statTime="1478101200",appName="Gravatar",txBytes="723",rxBytes="3957"
statTime="1478101500",appName="Google",txBytes="9844",rxBytes="31304"
statTime="1478101500",appName="HTTPS",txBytes="11740",rxBytes="38018"
statTime="1478101500",appName="SSL client",txBytes="9844",rxBytes="31304"
statTime="1478101500",appName="__unknown",txBytes="9938",rxBytes="1718"
statTime="1478101500",appName="Google",txBytes="10250",rxBytes="34118"
statTime="1478101500",appName="HTTPS",txBytes="34320",rxBytes="268372"
statTime="1478101500",appName="SSL client",txBytes="10250",rxBytes="34118"
statTime="1478101500",appName="__unknown",txBytes="5579",rxBytes="27426"
statTime="1478101800",appName="__unknown",txBytes="11675",rxBytes="5171"

Salu2