[Oisf-users] Layer 7 Analysis with Suricata?

Cooper F. Nelson cnelson at ucsd.edu
Tue Feb 6 18:56:05 UTC 2018

I looked into porting over the openappid rules awhile ago; using either
lua or flowbits. 

In either case I was of the opinion that this was a losing battle for
the reason mentioned below, you would need to keep the list constantly
updated.  It's also not always clear these days, especially in the era
of protocols like Google's QUIC, what applications are going over any
particular encrypted tunnel.

If you really want to do something like this you should be using a web
proxy, there are both commercial and open-source solutions that provide
as fine a grained level of control as you want, including inspecting
encrypted sessions.  And of course you can stick a suricata instance
inside/outside of it as well to add another layer of detection. 


On 1/30/2018 3:34 PM, Andreas Herz wrote:
> On 15/01/18 at 13:49, Victor Hooi wrote:
>> However, OpenAppID doesn't work with Suricata, right? Does Suricata have
>> something similar?
> We don't support openappid. IMHO the main issue with that is the
> detection of applications. You "just" need to write detection for them
> and always keep this up-to-date.

Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180206/b9c4776a/attachment.sig>

More information about the Oisf-users mailing list