[Oisf-users] Is there any possible Suricata could support OpenAppId?

[Andreas Herz]

On 14/10/15 at 12:20, Cooper F. Nelson wrote:
> Well, they are building their technology on snort, not suricata.

It's still a point for me to see where other similiar projects are
going.

> Re: OpenAppId, its clearly to compete with PaloAlto while leveraging the
> open-source model.  I.e., it's competing with PA's App-Id, not suricata
> or emerging threats, for the next-gen firewall market.  As I've
> mentioned before, suricata isn't designed to be a next-generation firewall.

And i still think snort is no next-gen firewall either :p
As we saw it's just another way to write rules and use them. Nothing
special on the technical side.

> Any non-trivial lua signatures that operate on an entire non-http stream
> won't be possible in suricata for now, but I'm not sure such a thing
> would even be feasible on a big network given the limitations of modern
> hardware; unless perhaps they are integrated with the protocol decoders
> (like http currently is).

Are you certain? I thought it was mighty enough to handle also streams.
And it might need good hardware but i guess that's an issue that could
be solved. Especially if you want to have more "security" then
performance which might be relevant in some use cases.

> - From a computer science perspective, this is the right way to do things
> in order to get both high and predictable performance.

I second that. And i would prefer that this perspective is considered
more often.

> Anyways, I think I'm interested enough to try converting these rules to
> the standard suricata keywords where possible.  I'll send and update
> when I have one.

Well that sounds nice :)

-- 
Andreas Herz