[Oisf-devel] OPNsense App Detection rules meets trafficid

Victor Julien lists at inliniac.net
Fri Apr 6 08:36:21 UTC 2018 

Hi Michael,

On 05-04-18 13:18, Muenz, Michael wrote:
> within the last months we created a set of rules handling (web)
> application detection. [1]
> As an input we just need some lines with an application name, group and
> the URL. [2]
> We put this list over a small script [3] and get per line 3 rules
> catching DNS, http and tls_sni.
> 
> Now I heard about your trafficid initiative and I love the approach via
> yaml!
>
> Sadly it's very hard to add and maintain rules like this esp. when new
> input comes from
> the community. This is our main goal cause time is limited for all of us.
> 
> Since we don't want to reinvent the wheel and your way seems a bit more
> consistant,
> perhaps we can find a way (a wrapper?) to merge both logics?

I think we have slightly different (initial) goals, but things are
definitely close. Our initial goal is to support Suricata's bypass
features: detect high bandwidth streaming services like netflix so that
we can avoid spending (much) time on them. In the best case this is done
in layers below Suricata (hardware or kernel), but we also have an
internal software bypass.

Since bypass is the initial goal we haven't looked at DNS lookups yet.

A secondary goal is the labeling of flows. Starting with Suricata 4.1
we'll have special 'magic' flowbit names starting with 'traffic/id' and
'traffic/label' that are put in EVE records in a special way. A record
looks like this:

  "traffic":{"id":["google"],"label":["search"]}

This record type is added to the regular alerts, flows, etc. So you can
get visualizations like [1].

I think adding support for drop rules would also make sense.

I like the YAML format as it will make it easy to extend the format and
to add meta data and such.

One potential future extension is that for bypass it's best not to
depend only on the request information. It's probably better to either
look both at request and response, or only at the response. Or perhaps
mix in IP-space info. Otherwise we'll risk creating a very simple IDS
security-bypass hole :)

I think for dropping things it's probably not as much as an issue. If
you use a netflix SNI to a non-netflix server it would still be dropped,
but thats probably fine.

Certainly interested in trying to work together here!

Cheers,
Victor


[1] https://www.inliniac.net/files/evebox-trafficid.png

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list