[Oisf-users] Is there any possible Suricata could support OpenAppId?

Cooper F. Nelson cnelson at ucsd.edu
Fri Jan 30 21:26:35 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Wasn't sure how they were able to see inside a SSL session to identify
apps, so I did some research.  Found the following:

> https://forum.pfsense.org/index.php?topic=84227.0

This really isn't a "NGF" style application identification.  What they
are doing is looking at the SSL cert and pulling the domain from that.
EmergingThreats already has lots of application detection rules (eg.
policy/chat rules) that already do this and suricata supports Lua, so
I'm not sure what the advantage is.

Again, if you want to restrict users access to certain domains you
should be using a web proxy.  Squid is free, works very well and will
even give your customers a useful error message vs. simply resetting the
connection.

Actual next-generation firewall products can be configured to proxy SSL
sessions and decrypt them to inspect the content.  Neither Squid or
Suricata can do this (nor do I think they should), so again I think
these sorts of applications are better served by a NGF or proxy product.

- -Coop

On 1/30/2015 1:29 AM, Liao Zhuodi wrote:
> Suricata support Lua script, and OpenAppID is actually functions in Lua like this:
> 
> function DetectorInit(detectorInstance)
>     gDetector = detectorInstance
>     gDetector:addAppUrl(0, 0, 0, 52, 13, "msn.com", "/", "http:", "", 308)
>     return gDetector
> end
> 
> and the best part about OpenAppID is it can generate app statics, does suricata has similar function?
> #> u2openappid /var/log/snort/appstats-u2.log.1393807981
> statTime="1393807860",appName="chrome",txBytes="6043",rxBytes="111267"
> statTime="1393807860",appName="dns",txBytes="8708",rxBytes="38103"
> 
> OpenAppID: http://blog.snort.org/2014/03/firing-up-openappid.html
> 
> Liao
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUy/cLAAoJEKIFRYQsa8FWpVYIAJ47MAD0lVNxNsdZH8eZq62/
6dF2Q0AUeWfTUjIxxAh6u4jsKxQqI4gOPGVEykxnHgYOwFcMD+SHExVRAxs2Zh2o
TK8Y+xy19d2r6aK1IeIMNRameLeAHG2nPyce4Dqa29XueirIKABtyfDw1t1Ofsqd
BhmjYldT/DJFZ8uSsaYtuYpEh+07u8AKpDhTjhOzqOe2yBqqdugUonvg+T5xFNDk
nAYtbBxmXVqxrZhQQYd1Oux7p1AyNZIWwxRHnHnIx8KmNkVHcLvVWcMNXFxnuIuG
VGyJA5CYW5HlGHJVTn9AExomwR/5GdrD011hza/cVLk2grjgM3W3HPbvuYyr958=
=pTzP
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list