[Snort-openappid] Analysis of Traffic Mid-stream

Al Lewis (allewi) allewi at ...5...
Fri Jun 5 07:53:24 EDT 2015


                If the part of what is used to identify the traffic is dropped/missing/intercepted then the application will not be correctly identified all the time. Mid-stream pickup is one of those things where it depends on what needs to be seen before a determination can be made on the type of traffic.

So while “missing” traffic from some applications may not affect detection others depend on entire sessions (or at least most of it) to correctly identify applications.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...5...

From: sripaduka R [mailto:padukaietf at ...8...]
Sent: Friday, June 05, 2015 5:10 AM
To: snort-openappid at lists.sourceforge.net
Subject: Re: [Snort-openappid] Analysis of Traffic Mid-stream

Hi  all

Since I did not receive any reply ... wanted to know whether I ought to be checking on some other snort mailing list.
The question of course is for midstream analysis specific to open appid ...


On Thu, Jun 4, 2015 at 7:57 PM, sripaduka R <padukaietf at ...8...<mailto:padukaietf at ...8...>> wrote:
Hi all

Is there any experience with the analysis/open appid based detection of traffic
based on traffic intercepted mid stream [ as in the first few packets of the stream are dropped prior to reception to snort ] - will the open appid framework be able to figure out the flow & concerned app.

What is the probability of a false positive or a false negative in such a scenario


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150605/b5d5f2b5/attachment.html>

More information about the Snort-openappid mailing list