[Oisf-users] Is there any possible Suricata could support OpenAppId?
Victor Julien
lists at inliniac.net
Fri Jan 30 12:11:48 UTC 2015
On 01/30/2015 11:16 AM, Michał Purzyński wrote:
> +1 to this idea, sounds interesting.
>
> On Fri, Jan 30, 2015 at 10:29 AM, Liao Zhuodi <liao_zd at foxmail.com> wrote:
>> Suricata support Lua script, and OpenAppID is actually functions in Lua like this:
>>
>> function DetectorInit(detectorInstance)
>> gDetector = detectorInstance
>> gDetector:addAppUrl(0, 0, 0, 52, 13, "msn.com", "/", "http:", "", 308)
>> return gDetector
>> end
>>
>> and the best part about OpenAppID is it can generate app statics, does suricata has similar function?
>> #> u2openappid /var/log/snort/appstats-u2.log.1393807981
>> statTime="1393807860",appName="chrome",txBytes="6043",rxBytes="111267"
>> statTime="1393807860",appName="dns",txBytes="8708",rxBytes="38103"
>>
>> OpenAppID: http://blog.snort.org/2014/03/firing-up-openappid.html
>>
This could be interesting, but it won't be trivial. I haven't really
looked at how openappid works yet. I suspect we'd need to have some kind
of lua hooks to trigger the scripts and probably also a way to keep some
state in the engine. If I understand correctly, there is also a rule
keyword that matches on it.
It's not currently on our roadmap, but I'd be happy to assist volunteers
where I can.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list