[Oisf-users] Is there any possible Suricata could support OpenAppId?
andi at geekosphere.org
Thu Oct 15 07:36:09 UTC 2015
On 14/10/15 at 12:20, Cooper F. Nelson wrote:
> Well, they are building their technology on snort, not suricata.
It's still a point for me to see where other similiar projects are
> Re: OpenAppId, its clearly to compete with PaloAlto while leveraging the
> open-source model. I.e., it's competing with PA's App-Id, not suricata
> or emerging threats, for the next-gen firewall market. As I've
> mentioned before, suricata isn't designed to be a next-generation firewall.
And i still think snort is no next-gen firewall either :p
As we saw it's just another way to write rules and use them. Nothing
special on the technical side.
> Any non-trivial lua signatures that operate on an entire non-http stream
> won't be possible in suricata for now, but I'm not sure such a thing
> would even be feasible on a big network given the limitations of modern
> hardware; unless perhaps they are integrated with the protocol decoders
> (like http currently is).
Are you certain? I thought it was mighty enough to handle also streams.
And it might need good hardware but i guess that's an issue that could
be solved. Especially if you want to have more "security" then
performance which might be relevant in some use cases.
> - From a computer science perspective, this is the right way to do things
> in order to get both high and predictable performance.
I second that. And i would prefer that this perspective is considered
> Anyways, I think I'm interested enough to try converting these rules to
> the standard suricata keywords where possible. I'll send and update
> when I have one.
Well that sounds nice :)
More information about the Oisf-users