PfSense – Snort : Detectando protocolos usados en tu red con OpenAppID
-
Hola.
Enlazando con el post:
pfSense–ntopng: Detectando protocolos usados en tu red con ndpiReader vía shell https://forum.pfsense.org/index.php?topic=120399.0
pfSense – snort : Detectando protocolos usados en tu red con OpenAppID
Ahora muestro cómo detectar protocolos de capa de aplicación (Layer 7) en pfSense con el paquete snort instalado con OpenAppID habilitado:
En Services > Snort > Global Settings. > Sourcefire OpenAppID Detectors: Habilitar:
Enable OpenAppID
Click to enable download of Sourcefire OpenAppID Detectors
Salvar cambios y reiniciar el servicio Snort.
Tras un tiempo para que snort y OpenAppID recolecten datos, podremos mirar los protocolos detectados:Vía GUI: En Services > Snort > Snort interfaces > Wan Logs > app-stats.log
Vía shell: Desde shell, con el comando: (target fichero: app-stats-log.MARCA-DE-TIEMPO )
u2openappid /var/log/snort/snort_em024285/app-stats.log.1478100006
[2.3.2-RELEASE][root@pfSense232a.localdomain]/: u2openappid /var/log/snort/snort_em024285/app-stats.log.1478100006 statTime="1478099700",appName="DNS",txBytes="174",rxBytes="218" statTime="1478099700",appName="__unknown",txBytes="1727",rxBytes="5714" statTime="1478099700",appName="__unknown",txBytes="2984",rxBytes="1168" statTime="1478100000",appName="HTTPS",txBytes="1992",rxBytes="7017" statTime="1478100000",appName="__unknown",txBytes="8065",rxBytes="2593" statTime="1478100000",appName="__unknown",txBytes="336",rxBytes="402" statTime="1478100300",appName="__unknown",txBytes="448",rxBytes="580" statTime="1478100300",appName="__unknown",txBytes="224",rxBytes="224" statTime="1478100600",appName="Google",txBytes="2692",rxBytes="5399" statTime="1478100600",appName="HTTPS",txBytes="2692",rxBytes="5399" statTime="1478100600",appName="SSL client",txBytes="2692",rxBytes="5399" statTime="1478100600",appName="__unknown",txBytes="3471",rxBytes="770" statTime="1478100600",appName="__unknown",txBytes="178",rxBytes="178" statTime="1478100900",appName="Google",txBytes="2980",rxBytes="6172" statTime="1478100900",appName="HTTPS",txBytes="2980",rxBytes="6172" statTime="1478100900",appName="SSL client",txBytes="2980",rxBytes="6172" statTime="1478100900",appName="__unknown",txBytes="1762",rxBytes="1395" statTime="1478101200",appName="Google",txBytes="1238",rxBytes="5366" statTime="1478101200",appName="Firefox",txBytes="761",rxBytes="2672" statTime="1478101200",appName="Gmail",txBytes="3276",rxBytes="6218" statTime="1478101200",appName="HTTP",txBytes="761",rxBytes="2672" statTime="1478101200",appName="HTTPS",txBytes="6325",rxBytes="16093" statTime="1478101200",appName="Mozilla",txBytes="1811",rxBytes="4509" statTime="1478101200",appName="SSL client",txBytes="6325",rxBytes="16093" statTime="1478101200",appName="GoDaddy",txBytes="761",rxBytes="2672" statTime="1478101200",appName="__unknown",txBytes="1233",rxBytes="848" statTime="1478101200",appName="Firefox",txBytes="1753",rxBytes="5116" statTime="1478101200",appName="HTTP",txBytes="1753",rxBytes="5116" statTime="1478101200",appName="HTTPS",txBytes="11131",rxBytes="76597" statTime="1478101200",appName="Gravatar",txBytes="723",rxBytes="3957" statTime="1478101500",appName="Google",txBytes="9844",rxBytes="31304" statTime="1478101500",appName="HTTPS",txBytes="11740",rxBytes="38018" statTime="1478101500",appName="SSL client",txBytes="9844",rxBytes="31304" statTime="1478101500",appName="__unknown",txBytes="9938",rxBytes="1718" statTime="1478101500",appName="Google",txBytes="10250",rxBytes="34118" statTime="1478101500",appName="HTTPS",txBytes="34320",rxBytes="268372" statTime="1478101500",appName="SSL client",txBytes="10250",rxBytes="34118" statTime="1478101500",appName="__unknown",txBytes="5579",rxBytes="27426" statTime="1478101800",appName="__unknown",txBytes="11675",rxBytes="5171"Salu2