[Oisf-users] Is there any possible Suricata could support OpenAppId?
Andreas Herz
andi at geekosphere.org
Tue Oct 13 07:24:55 UTC 2015
On 12/10/15 at 10:13, Cooper F. Nelson wrote:
> The majority of the lua rules seem to be doing trivial matches on HTTP
> headers, which I'm almost positive suricata can do more efficiently via
> libhttp and the existing http rule syntax.
Great to see that i'm not the only one seeing this :)
> tl;dr If you want to block domains, urls and/or user-agents, use Squid.
Besides using Squid there is no gain in using openappid, blocking
domains can be achieved on several places quite easy.
> Unless I'm missing something, it appears you could easily convert the
> web applications into suricata http rules. For example, using these
> keywords:
>
> client: http_user_agent
> content_group: http_header
> payload: http_host; http_uri
And this is why i'm wondering why they even introduced openappid
instead of using the existent decoder etc.
Since it's not that special or difficult (besides some edge cases
maybe).
> The 'service' rules are trickier and would probably have to be
> re-written by hand, as there are lots of hex matches and ranges involved.
But still something that is technically possible with suricata (and
others)?!
So it looks more sane to write a converter then to implement the
"decoding" part, i guess.
--
Andreas Herz
More information about the Oisf-users
mailing list