[Snort-openappid] API, scheme of application detection engine ?

Cliff Judge (cljudge) cljudge at ...5...
Tue Apr 15 10:09:38 EDT 2014


Hi Ronan,

Openappid uses a number of techniques for application detection in openappid.

Openappid uses port and protocol ID matching, and pattern matching. It will then perform deep packet inspection if it has detected an "interesting" port or pattern. 

With regards to HTTP, as you have noticed, the primary method of determining the Client application is by examining the User-Agent in the HTTP Request packet. Openappid examines several other fields to identify various other applications. 

Openappid will only detect Wget if the default User-Agent string is used; if you change the User-Agent string there is no further information that can be used to identify that particular client. Curl is the same way. 

In your example, you should have been able to detect Wget when you ran it with default options. When you subsequently ran Wget with a blank User-Agent, and did not detect Wget, that is expected behavior.

________________________________________
From: Huet, Ronan (External) [Ronan.Huet.External at ...21...]
Sent: Tuesday, April 15, 2014 4:59 AM
To: snort-openappid at lists.sourceforge.net
Subject: [Snort-openappid] API, scheme of application detection engine ?

Hello,

I am trying to understand detection engine of openappid and I would like to know how openappid can detect an application?
Does it use a pattern matching (I suppose it is not enough for a good detection), size, order of fields in packets ...?
For example, I have tested the detection of user-agents Firefox and wget:
Firefox is detected but not Wget. So I tried to hide Wget request in a Firefox request (with option --user-agent="" --header="") but openappid only detected "http".

Moreover, I am performing a research on links between all the functions and what was the sequence of the functions to detect "an application".
Do you know if there is any scheme of this sequence and an API documentation.

Thank you for your time and consideration.

--
Ronan HUET
Airbus Defence & Space CyberSecurity
ronan.huet.external at ...21...<mailto:ronan.huet.external at ...21...>






More information about the Snort-openappid mailing list