[Oisf-users] Is there any possible Suricata could support OpenAppId?

[Andreas Herz]

On 12/10/15 at 10:13, Cooper F. Nelson wrote:
> The majority of the lua rules seem to be doing trivial matches on HTTP
> headers, which I'm almost positive suricata can do more efficiently via
> libhttp and the existing http rule syntax.

Great to see that i'm not the only one seeing this :)

> tl;dr If you want to block domains, urls and/or user-agents, use Squid.

Besides using Squid there is no gain in using openappid, blocking
domains can be achieved on several places quite easy.

> Unless I'm missing something, it appears you could easily convert the
> web applications into suricata http rules.  For example, using these
> keywords:
> 
> client:		http_user_agent
> content_group:	http_header
> payload:	http_host; http_uri

And this is why i'm wondering why they even introduced openappid
instead of using the existent decoder etc.
Since it's not that special or difficult (besides some edge cases
maybe).

> The 'service' rules are trickier and would probably have to be
> re-written by hand, as there are lots of hex matches and ranges involved.

But still something that is technically possible with suricata (and
others)?!

So it looks more sane to write a converter then to implement the
"decoding" part, i guess.

-- 
Andreas Herz