[Oisf-users] Is there any possible Suricata could support OpenAppId?

[Cooper F. Nelson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ok so I have a bit of egg on my face at the moment, I literally just
discovered what the overall goal of OpenAppId is.

- From this blog post:

> http://blog.snort.org/2014/04/openappid-application-rules.html

This is the kicker:

> The addition of OpenAppID also adds a new keyword to the Snort rules
> language. The appid keyword can be embedded in any rule to match only
> on traffic already identified as a specific application.

So the OpenAppId rules can flag a flow as facebook traffic, then you can
write rules like this:

> alert tcp any any -> any any (msg:”Facebook”; appid: facebook; sid:1000000; rev:1)

This is a trivial example as of course the idea is that you can then
write rules that only evaluated against facebook traffic.  This will
further help performance (particularly for Lua sigs) and cut down on
false-positives.

I think you can do this with the 'flowbits' feature in suricata, but I'm
not sure if it's savvy enough to check the flowbits before the signature
is run.  If not, that would definitely be a feature request on my end.

- -Coop

On 10/13/2015 12:24 AM, Andreas Herz wrote:
> And this is why i'm wondering why they even introduced openappid 
> instead of using the existent decoder etc. Since it's not that
> special or difficult (besides some edge cases maybe).


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJWHq7fAAoJEKIFRYQsa8FWuoUIAJK50oaSOekr7F7oGnXrG4S5
WJTWJst7XGLAtOfF7Vl/uYFI/2iAcSngAKeseKTmFSprs4DxenMK0OKek1zNO21d
eA4DI4tmmuQi0T964CaSYMUF6YTvBe6C5NotpZMtq0qGdKUWJO2eg0OZGvkeemrP
zJEE1uINi4a+XUloknsqjzCFbilvjvRTI+HzuZUxpQC6gUKSN9unMjzWnP/8/KbC
SqDqfJF+5RvxVlCpnwvLrn0yWGvu8x1yEPdWYJz6RQWV0XL8LCA4btighfteWI1y
rqi5HGSO+Wj6tf8vh1QubfA3ow53jXuVfyDtit5CuPas6xoCvKUUkMkXMtS46X0=
=diSh
-----END PGP SIGNATURE-----