[Snort-openappid] Analysis of Traffic Mid-stream

Costas Kleopa (ckleopa) ckleopa at ...5...
Fri Jun 5 14:42:18 EDT 2015

No we currently do not have such a list available.

On Jun 5, 2015, at 2:36 PM, sripaduka R <padukaietf at ...8...<mailto:padukaietf at ...8...>> wrote:

Hi Albert,Costas

Thanks for your reply.
So I understand that this is very much application specific. For the list of app ids currently supported by Snort OpenAppID, is there a list /taxonomy of what protocols are vulnerable to midstream or such pathological but real conditions [ missed , out of order ? ]  and which are the ones currently immune

warm regards

On Fri, Jun 5, 2015 at 5:23 PM, Al Lewis (allewi) <allewi at ...5...<mailto:allewi at ...5...>> wrote:

                If the part of what is used to identify the traffic is dropped/missing/intercepted then the application will not be correctly identified all the time. Mid-stream pickup is one of those things where it depends on what needs to be seen before a determination can be made on the type of traffic.

So while “missing” traffic from some applications may not affect detection others depend on entire sessions (or at least most of it) to correctly identify applications.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112[X]<x-msg://16/#>
Email: allewi at ...5...<mailto:allewi at ...5...>

From: sripaduka R [mailto:padukaietf at ...8...<mailto:padukaietf at ...8...>]
Sent: Friday, June 05, 2015 5:10 AM
To: snort-openappid at lists.sourceforge.net<mailto:snort-openappid at lists.sourceforge.net>
Subject: Re: [Snort-openappid] Analysis of Traffic Mid-stream

Hi  all

Since I did not receive any reply ... wanted to know whether I ought to be checking on some other snort mailing list.
The question of course is for midstream analysis specific to open appid ...


On Thu, Jun 4, 2015 at 7:57 PM, sripaduka R <padukaietf at ...8...<mailto:padukaietf at ...8...>> wrote:
Hi all

Is there any experience with the analysis/open appid based detection of traffic
based on traffic intercepted mid stream [ as in the first few packets of the stream are dropped prior to reception to snort ] - will the open appid framework be able to figure out the flow & concerned app.

What is the probability of a false positive or a false negative in such a scenario


Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net<mailto:Snort-openappid at lists.sourceforge.net>

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150605/e843a5ec/attachment.html>

More information about the Snort-openappid mailing list