[Oisf-users] Is there any possible Suricata could support OpenAppId?

Victor Julien lists at inliniac.net
Fri Jan 30 12:11:48 UTC 2015

On 01/30/2015 11:16 AM, Michał Purzyński wrote:
> +1 to this idea, sounds interesting.
> On Fri, Jan 30, 2015 at 10:29 AM, Liao Zhuodi <liao_zd at foxmail.com> wrote:
>> Suricata support Lua script, and OpenAppID is actually functions in Lua like this:
>> function DetectorInit(detectorInstance)
>>     gDetector = detectorInstance
>>     gDetector:addAppUrl(0, 0, 0, 52, 13, "msn.com", "/", "http:", "", 308)
>>     return gDetector
>> end
>> and the best part about OpenAppID is it can generate app statics, does suricata has similar function?
>> #> u2openappid /var/log/snort/appstats-u2.log.1393807981
>> statTime="1393807860",appName="chrome",txBytes="6043",rxBytes="111267"
>> statTime="1393807860",appName="dns",txBytes="8708",rxBytes="38103"
>> OpenAppID: http://blog.snort.org/2014/03/firing-up-openappid.html

This could be interesting, but it won't be trivial. I haven't really
looked at how openappid works yet. I suspect we'd need to have some kind
of lua hooks to trigger the scripts and probably also a way to keep some
state in the engine. If I understand correctly, there is also a rule
keyword that matches on it.

It's not currently on our roadmap, but I'd be happy to assist volunteers
where I can.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list