[Oisf-users] Is there any possible Suricata could support OpenAppId?

Cooper F. Nelson cnelson at ucsd.edu
Fri Oct 16 21:50:06 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/15/2015 12:39 AM, Andreas Herz wrote:
> Well this might be helpful but it's still nothing that fancy IMHO.
> It's just another way to write the rules and use them within the
> IDS/IPS. Still something that might be achieved by suricata as well (if
> wanted) since the technical part is the same: look into traffic and
> match it against rules/patterns.

The advantage is that it allows the application-detection engine to be
programmatically extended by customers, without requiring new
application detection logic to be added to the core platform.  This is a
very powerful concept and to be fair is an advantage to snort 3.0.

Suricata has part of this currently, in that you can write rules against
supported protocols (http, dns & tls) that will only be evaluated
against flows that are identified as such by the application detection
engine.  This is a big win performance wise for reasons that should be
obvious.

Suricata also has the ability to tag flow via the 'flowbits' directive,
which can then be evaluated by other rules.  However, I do not think
suricata is able to group rules in such a way that they are only run
against flows that have been previously had a flowbit set.

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJWIXEOAAoJEKIFRYQsa8FWPjgH/j7UpR78DVZD+el/kH9j6hTX
lKqIhYEzQkKwOziX4OpW4OXNskPht5zBC+owNojKI6Z+hVIK4hcDdG5sq3ORVt0v
0S8FA9ouRt2RRxBBF+sQCsrhsREpsKumdBEVjvaKGFxbYnM8LYb50rBI4Upa0w0y
WVDtdbylVVZgphBZGH4MmUkEHrWEVV8stYplC5KSnQfIqmLjaGM6aN7lzLK1YFt4
WojcBCDMTuVOq2KIl/H6QJHPcUS8g93ZGLS1LODnwUlb1eLBZoqWZNImu7ARh/sU
o/f2qj3ujUq5EJLQuKjzlGigyS05l1+SxbI13G2fu8MWKCWjZFrXBU9HOd/KWfI=
=GUrl
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list