[Oisf-users] Is there any possible Suricata could support OpenAppId?
Andreas Herz
andi at geekosphere.org
Thu Oct 15 07:39:14 UTC 2015
On 14/10/15 at 12:37, Cooper F. Nelson wrote:
> This is the kicker:
>
> > The addition of OpenAppID also adds a new keyword to the Snort rules
> > language. The appid keyword can be embedded in any rule to match only
> > on traffic already identified as a specific application.
>
> So the OpenAppId rules can flag a flow as facebook traffic, then you can
> write rules like this:
>
> > alert tcp any any -> any any (msg:”Facebook”; appid: facebook; sid:1000000; rev:1)
>
> This is a trivial example as of course the idea is that you can then
> write rules that only evaluated against facebook traffic. This will
> further help performance (particularly for Lua sigs) and cut down on
> false-positives.
Well this might be helpful but it's still nothing that fancy IMHO.
It's just another way to write the rules and use them within the
IDS/IPS. Still something that might be achieved by suricata as well (if
wanted) since the technical part is the same: look into traffic and
match it against rules/patterns.
--
Andreas Herz
More information about the Oisf-users
mailing list