[Oisf-users] Application awareness

Andreas Herz andi at geekosphere.org
Wed Jul 20 06:52:39 UTC 2016 

On 20/07/16 at 12:08, Vishal Kotalwar wrote:
> Thanks Andreas for the reply, appreciate it.
> 
> what I can tell you is, how I may use this feature (probable use cases) if
> implemented.
> 
> 1) Control or blocking of traffic: Example - I may want to allow
> Facebook.com but block the games (say Farmville) or facebook chat

Some of that might be already managed by rules but you will run into
issues nowadays, since more and more services are using HTTPS and we
can't look into encrypted traffic.

> 2) Statistics: I may want to know how many people are using Chrome browser
> in my network, more detailed could be chrome from desktop/laptop and mobile;
> next level could be which OS on those devices (e.g. windows, linux, mac,
> Blackberry, android, ios etc)

You could check for User-Agent in a rule and also use similiar rules to
detect the OS. I guess that should be possible already with the correct
rules.

> 3) Rate limit: I may want to rate limit video/audio streaming applications
> on my network to free up bandwidth

Well that's not really a task for Suricata, that would fit into other
tools/systems.

> On 20-Jul-16 12:41 AM, Andreas Herz wrote:
> >On 19/07/16 at 16:49, Vishal Kotalwar wrote:
> >>Hi All,
> >>
> >>     I was going through all the information on suricata through different
> >>websites and articles but could not find any information on application
> >>recognition or classification capability. Does suricata have this feature or
> >>is it in road-map for next releases.
> >There is no dedicated application awareness although this depends on a
> >ruleset as well.
> >It is a feature we're looking into, but would need a lot of work.
> >
> >Do you have some more details about how you would want such a feature?
> >
> 
> -- 
> Thanks & Regards,
> Vishal V. Kotalwar

> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net


-- 
Andreas Herz

More information about the Oisf-users mailing list