[Snort-openappid] Analysis of Traffic Mid-stream

sripaduka R padukaietf at ...8...
Fri Jun 5 14:36:50 EDT 2015


Hi Albert,Costas

Thanks for your reply.
So I understand that this is very much application specific. For the list
of app ids currently supported by Snort OpenAppID, is there a list
/taxonomy of what protocols are vulnerable to midstream or such
pathological but real conditions [ missed , out of order ? ]  and which are
the ones currently immune

warm regards
sr

On Fri, Jun 5, 2015 at 5:23 PM, Al Lewis (allewi) <allewi at ...5...> wrote:

>  Hello,
>
>
>
>                 If the part of what is used to identify the traffic is
> dropped/missing/intercepted then the application will not be correctly
> identified all the time. Mid-stream pickup is one of those things where it
> depends on what needs to be seen before a determination can be made on the
> type of traffic.
>
>
>
> So while “missing” traffic from some applications may not affect detection
> others depend on entire sessions (or at least most of it) to correctly
> identify applications.
>
>
>
>
>
> Albert Lewis
>
> QA Software Engineer
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
>
> Phone: (office) 443.430.7112 <#>
>
> Email: allewi at ...5...
>
>
>
> *From:* sripaduka R [mailto:padukaietf at ...8...]
> *Sent:* Friday, June 05, 2015 5:10 AM
> *To:* snort-openappid at lists.sourceforge.net
> *Subject:* Re: [Snort-openappid] Analysis of Traffic Mid-stream
>
>
>
> Hi  all
>
>
>
> Since I did not receive any reply ... wanted to know whether I ought to be
> checking on some other snort mailing list.
>
> The question of course is for midstream analysis specific to open appid ...
>
>
>
> thanks
>
> sr
>
>
>
> On Thu, Jun 4, 2015 at 7:57 PM, sripaduka R <padukaietf at ...8...> wrote:
>
> Hi all
>
>
>
> Is there any experience with the analysis/open appid based detection of
> traffic
>
> based on traffic intercepted mid stream [ as in the first few packets of
> the stream are dropped prior to reception to snort ] - will the open appid
> framework be able to figure out the flow & concerned app.
>
>
>
> What is the probability of a false positive or a false negative in such a
> scenario
>
>
>
> thanks
>
> sr
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150606/bb0dfafc/attachment.html>


More information about the Snort-openappid mailing list