[Snort-openappid] API, scheme of application detection engine ?

Huet, Ronan (External) Ronan.Huet.External at ...21...
Tue Apr 15 10:51:03 EDT 2014


Thank you for your answer.
But maybe my question was bad formulated:

This was my process to test the detection of openappid (there the user agent detection):
- run snort with openappid
- capture packets with tcpdump
- send a GET request to a web server with firefox
- check results of openappid

I have replayed this process for wget without any option and for wget with options --user-agent="Mozilla... and the good headers options (not empty)

1. For firefox request:

GET /test/ HTTP/1.1
Host: <ip>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

==> detected as firefox user-agent by openappid

2. For Wget without options:

GET /test/ HTTP/1.0
User-Agent: Wget/1.12 (linux-gnu)
Accept: */*
Host: <ip>
Connection: Keep-Alive

==> openappid only detected http

3. For wget with option (Wget pretends to be Firefox):

GET /test/ HTTP/1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Host: <ip>
Connection: keep-alive
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate

==> openappid only detected http

We can see that the headers have not the same order and GET request have not the same version but as you say Wget should be detected by openappid in my second case where no option are use (default user-agent string).
So why Wget is not detected? And how openappid can know the third case is not a Firefox request?

(May be I am a little too curious but what do you mean by an "interesting" port or pattern detect by openappid.)

-----Message d'origine-----
De : Cliff Judge (cljudge) [mailto:cljudge at ...5...] 
Envoyé : mardi 15 avril 2014 16:10
À : Huet, Ronan (External); snort-openappid at lists.sourceforge.net
Objet : RE: API, scheme of application detection engine ?


Hi Ronan,

Openappid uses a number of techniques for application detection in openappid.

Openappid uses port and protocol ID matching, and pattern matching. It will then perform deep packet inspection if it has detected an "interesting" port or pattern. 

With regards to HTTP, as you have noticed, the primary method of determining the Client application is by examining the User-Agent in the HTTP Request packet. Openappid examines several other fields to identify various other applications. 

Openappid will only detect Wget if the default User-Agent string is used; if you change the User-Agent string there is no further information that can be used to identify that particular client. Curl is the same way. 

In your example, you should have been able to detect Wget when you ran it with default options. When you subsequently ran Wget with a blank User-Agent, and did not detect Wget, that is expected behavior.

________________________________________
From: Huet, Ronan (External) [Ronan.Huet.External at ...21...]
Sent: Tuesday, April 15, 2014 4:59 AM
To: snort-openappid at lists.sourceforge.net
Subject: [Snort-openappid] API, scheme of application detection engine ?

Hello,

I am trying to understand detection engine of openappid and I would like to know how openappid can detect an application?
Does it use a pattern matching (I suppose it is not enough for a good detection), size, order of fields in packets ...?
For example, I have tested the detection of user-agents Firefox and wget:
Firefox is detected but not Wget. So I tried to hide Wget request in a Firefox request (with option --user-agent="" --header="") but openappid only detected "http".

Moreover, I am performing a research on links between all the functions and what was the sequence of the functions to detect "an application".
Do you know if there is any scheme of this sequence and an API documentation.

Thank you for your time and consideration.

--
Ronan HUET
Airbus Defence & Space CyberSecurity
ronan.huet.external at ...21...<mailto:ronan.huet.external at ...21...>






More information about the Snort-openappid mailing list