[Snort-openappid] API, scheme of application detection engine ?

Huet, Ronan (External) Ronan.Huet.External at ...21...
Tue Apr 15 11:28:40 EDT 2014


Ok, Thank you for your reactivity and your answers.
I am looking forward to getting your API reference manual.

Regards
Ronan

-----Message d'origine-----
De : Costas Kleopa (ckleopa) [mailto:ckleopa at ...5...] 
Envoyé : mardi 15 avril 2014 17:17
À : Huet, Ronan (External); snort-openappid at lists.sourceforge.net
Cc : Cliff Judge (cljudge)
Objet : Re: [Snort-openappid] API, scheme of application detection engine ?

Ronan,

We have verified that there is an issue with the detection of Wget and we
are planning of fixing this in the next scheduled release of snort with
OpenAppID. Thanks for helping us identify this issue.
 
In regards to the ³interesting² port we were just referring to patterns or
known ports we have identified from our research which would need a
further deeper inspection which is not just pattern matching, in order for
us to identify a specific application.

We are also working on the manual for the API you have mentioned, and we
are planning on including this with our next scheduled release also.


Thanks
Costas


On 4/15/14, 10:51 AM, "Huet, Ronan (External)"
<Ronan.Huet.External at ...21...> wrote:

>Thank you for your answer.
>But maybe my question was bad formulated:
>
>This was my process to test the detection of openappid (there the user
>agent detection):
>- run snort with openappid
>- capture packets with tcpdump
>- send a GET request to a web server with firefox
>- check results of openappid
>
>I have replayed this process for wget without any option and for wget
>with options --user-agent="Mozilla... and the good headers options (not
>empty)
>
>1. For firefox request:
>
>GET /test/ HTTP/1.1
>Host: <ip>
>User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101
>Firefox/24.0
>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>Accept-Language: en-US,en;q=0.5
>Accept-Encoding: gzip, deflate
>Connection: keep-alive
>
>==> detected as firefox user-agent by openappid
>
>2. For Wget without options:
>
>GET /test/ HTTP/1.0
>User-Agent: Wget/1.12 (linux-gnu)
>Accept: */*
>Host: <ip>
>Connection: Keep-Alive
>
>==> openappid only detected http
>
>3. For wget with option (Wget pretends to be Firefox):
>
>GET /test/ HTTP/1.0
>User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101
>Firefox/24.0
>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>Host: <ip>
>Connection: keep-alive
>Accept-Language: en-US,en;q=0.5
>Accept-Encoding: gzip, deflate
>
>==> openappid only detected http
>
>We can see that the headers have not the same order and GET request have
>not the same version but as you say Wget should be detected by openappid
>in my second case where no option are use (default user-agent string).
>So why Wget is not detected? And how openappid can know the third case is
>not a Firefox request?
>
>(May be I am a little too curious but what do you mean by an
>"interesting" port or pattern detect by openappid.)
>
>-----Message d'origine-----
>De : Cliff Judge (cljudge) [mailto:cljudge at ...5...]
>Envoyé : mardi 15 avril 2014 16:10
>À : Huet, Ronan (External); snort-openappid at lists.sourceforge.net
>Objet : RE: API, scheme of application detection engine ?
>
>
>Hi Ronan,
>
>Openappid uses a number of techniques for application detection in
>openappid.
>
>Openappid uses port and protocol ID matching, and pattern matching. It
>will then perform deep packet inspection if it has detected an
>"interesting" port or pattern.
>
>With regards to HTTP, as you have noticed, the primary method of
>determining the Client application is by examining the User-Agent in the
>HTTP Request packet. Openappid examines several other fields to identify
>various other applications.
>
>Openappid will only detect Wget if the default User-Agent string is used;
>if you change the User-Agent string there is no further information that
>can be used to identify that particular client. Curl is the same way.
>
>In your example, you should have been able to detect Wget when you ran it
>with default options. When you subsequently ran Wget with a blank
>User-Agent, and did not detect Wget, that is expected behavior.
>
>________________________________________
>From: Huet, Ronan (External) [Ronan.Huet.External at ...21...]
>Sent: Tuesday, April 15, 2014 4:59 AM
>To: snort-openappid at lists.sourceforge.net
>Subject: [Snort-openappid] API, scheme of application detection engine ?
>
>Hello,
>
>I am trying to understand detection engine of openappid and I would like
>to know how openappid can detect an application?
>Does it use a pattern matching (I suppose it is not enough for a good
>detection), size, order of fields in packets ...?
>For example, I have tested the detection of user-agents Firefox and wget:
>Firefox is detected but not Wget. So I tried to hide Wget request in a
>Firefox request (with option --user-agent="" --header="") but openappid
>only detected "http".
>
>Moreover, I am performing a research on links between all the functions
>and what was the sequence of the functions to detect "an application".
>Do you know if there is any scheme of this sequence and an API
>documentation.
>
>Thank you for your time and consideration.
>
>--
>Ronan HUET
>Airbus Defence & Space CyberSecurity
>ronan.huet.external at ...21...<mailto:ronan.huet.external at ...21...
>>
>
>
>
>--------------------------------------------------------------------------
>----
>Learn Graph Databases - Download FREE O'Reilly Book
>"Graph Databases" is the definitive new guide to graph databases and their
>applications. Written by three acclaimed leaders in the field,
>this first edition is now available. Download your free book today!
>http://p.sf.net/sfu/NeoTech
>_______________________________________________
>Snort-openappid mailing list
>Snort-openappid at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-openappid
>
>Please visit http://blog.snort.org to stay current on all the latest
>Snort news!





More information about the Snort-openappid mailing list