[Oisf-users] Application awareness

Vishal Kotalwar vishalkv at altencalsoftlabs.com
Wed Jul 20 07:31:49 UTC 2016


     What I listed were very simple examples for understanding the 
point. As you said, identifying few applications by looking at 
user-agent or some other fields is possible but not all. Some 
application signatures may be spread over multiple packets. With ever 
increasing technologies and complexities, identifying new applications 
may require a dedicated application detection engine which is updated 
periodically for newer applications.

On 20-Jul-16 12:22 PM, Andreas Herz wrote:
> On 20/07/16 at 12:08, Vishal Kotalwar wrote:
>> Thanks Andreas for the reply, appreciate it.
>> what I can tell you is, how I may use this feature (probable use cases) if
>> implemented.
>> 1) Control or blocking of traffic: Example - I may want to allow
>> Facebook.com but block the games (say Farmville) or facebook chat
> Some of that might be already managed by rules but you will run into
> issues nowadays, since more and more services are using HTTPS and we
> can't look into encrypted traffic.
>> 2) Statistics: I may want to know how many people are using Chrome browser
>> in my network, more detailed could be chrome from desktop/laptop and mobile;
>> next level could be which OS on those devices (e.g. windows, linux, mac,
>> Blackberry, android, ios etc)
> You could check for User-Agent in a rule and also use similiar rules to
> detect the OS. I guess that should be possible already with the correct
> rules.
>> 3) Rate limit: I may want to rate limit video/audio streaming applications
>> on my network to free up bandwidth
> Well that's not really a task for Suricata, that would fit into other
> tools/systems.
>> On 20-Jul-16 12:41 AM, Andreas Herz wrote:
>>> On 19/07/16 at 16:49, Vishal Kotalwar wrote:
>>>> Hi All,
>>>>      I was going through all the information on suricata through different
>>>> websites and articles but could not find any information on application
>>>> recognition or classification capability. Does suricata have this feature or
>>>> is it in road-map for next releases.
>>> There is no dedicated application awareness although this depends on a
>>> ruleset as well.
>>> It is a feature we're looking into, but would need a lot of work.
>>> Do you have some more details about how you would want such a feature?
>> -- 
>> Thanks & Regards,
>> Vishal V. Kotalwar
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net

Thanks & Regards,
Vishal V. Kotalwar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160720/7b3a0c66/attachment-0002.html>

More information about the Oisf-users mailing list