PfSense – Snort : Detectando protocolos usados en tu red con OpenAppID



  • Hola.

    Enlazando con el post:

    pfSense–ntopng: Detectando protocolos usados en tu red con ndpiReader vía shell https://forum.pfsense.org/index.php?topic=120399.0

    pfSense – snort : Detectando protocolos usados en tu red con OpenAppID

    Ahora muestro cómo detectar protocolos de capa de aplicación (Layer 7) en pfSense con el paquete snort instalado con OpenAppID habilitado:

    En Services > Snort > Global Settings. > Sourcefire OpenAppID Detectors: Habilitar:

    Enable OpenAppID
        Click to enable download of Sourcefire OpenAppID Detectors

    Salvar cambios y reiniciar el servicio Snort.
    Tras un tiempo para que snort y OpenAppID recolecten datos, podremos mirar los protocolos detectados:

    Vía GUI: En Services > Snort > Snort interfaces > Wan Logs > app-stats.log

    Vía shell: Desde shell, con el comando: (target fichero: app-stats-log.MARCA-DE-TIEMPO )

    u2openappid /var/log/snort/snort_em024285/app-stats.log.1478100006

    [2.3.2-RELEASE][root@pfSense232a.localdomain]/: u2openappid /var/log/snort/snort_em024285/app-stats.log.1478100006
    statTime="1478099700",appName="DNS",txBytes="174",rxBytes="218"
    statTime="1478099700",appName="__unknown",txBytes="1727",rxBytes="5714"
    statTime="1478099700",appName="__unknown",txBytes="2984",rxBytes="1168"
    statTime="1478100000",appName="HTTPS",txBytes="1992",rxBytes="7017"
    statTime="1478100000",appName="__unknown",txBytes="8065",rxBytes="2593"
    statTime="1478100000",appName="__unknown",txBytes="336",rxBytes="402"
    statTime="1478100300",appName="__unknown",txBytes="448",rxBytes="580"
    statTime="1478100300",appName="__unknown",txBytes="224",rxBytes="224"
    statTime="1478100600",appName="Google",txBytes="2692",rxBytes="5399"
    statTime="1478100600",appName="HTTPS",txBytes="2692",rxBytes="5399"
    statTime="1478100600",appName="SSL client",txBytes="2692",rxBytes="5399"
    statTime="1478100600",appName="__unknown",txBytes="3471",rxBytes="770"
    statTime="1478100600",appName="__unknown",txBytes="178",rxBytes="178"
    statTime="1478100900",appName="Google",txBytes="2980",rxBytes="6172"
    statTime="1478100900",appName="HTTPS",txBytes="2980",rxBytes="6172"
    statTime="1478100900",appName="SSL client",txBytes="2980",rxBytes="6172"
    statTime="1478100900",appName="__unknown",txBytes="1762",rxBytes="1395"
    statTime="1478101200",appName="Google",txBytes="1238",rxBytes="5366"
    statTime="1478101200",appName="Firefox",txBytes="761",rxBytes="2672"
    statTime="1478101200",appName="Gmail",txBytes="3276",rxBytes="6218"
    statTime="1478101200",appName="HTTP",txBytes="761",rxBytes="2672"
    statTime="1478101200",appName="HTTPS",txBytes="6325",rxBytes="16093"
    statTime="1478101200",appName="Mozilla",txBytes="1811",rxBytes="4509"
    statTime="1478101200",appName="SSL client",txBytes="6325",rxBytes="16093"
    statTime="1478101200",appName="GoDaddy",txBytes="761",rxBytes="2672"
    statTime="1478101200",appName="__unknown",txBytes="1233",rxBytes="848"
    statTime="1478101200",appName="Firefox",txBytes="1753",rxBytes="5116"
    statTime="1478101200",appName="HTTP",txBytes="1753",rxBytes="5116"
    statTime="1478101200",appName="HTTPS",txBytes="11131",rxBytes="76597"
    statTime="1478101200",appName="Gravatar",txBytes="723",rxBytes="3957"
    statTime="1478101500",appName="Google",txBytes="9844",rxBytes="31304"
    statTime="1478101500",appName="HTTPS",txBytes="11740",rxBytes="38018"
    statTime="1478101500",appName="SSL client",txBytes="9844",rxBytes="31304"
    statTime="1478101500",appName="__unknown",txBytes="9938",rxBytes="1718"
    statTime="1478101500",appName="Google",txBytes="10250",rxBytes="34118"
    statTime="1478101500",appName="HTTPS",txBytes="34320",rxBytes="268372"
    statTime="1478101500",appName="SSL client",txBytes="10250",rxBytes="34118"
    statTime="1478101500",appName="__unknown",txBytes="5579",rxBytes="27426"
    statTime="1478101800",appName="__unknown",txBytes="11675",rxBytes="5171"
    

    Salu2


Log in to reply