[Snort-openappid] Analysis of Traffic Mid-stream

sripaduka R padukaietf at ...8...
Fri Jun 5 15:39:47 EDT 2015


Thanks for the information

On Sat, Jun 6, 2015 at 12:12 AM, Costas Kleopa (ckleopa) <ckleopa at ...5...>
wrote:

>  No we currently do not have such a list available.
>
>  On Jun 5, 2015, at 2:36 PM, sripaduka R <padukaietf at ...8...> wrote:
>
>  Hi Albert,Costas
>
>  Thanks for your reply.
> So I understand that this is very much application specific. For the list
> of app ids currently supported by Snort OpenAppID, is there a list
> /taxonomy of what protocols are vulnerable to midstream or such
> pathological but real conditions [ missed , out of order ? ]  and which are
> the ones currently immune
>
>  warm regards
> sr
>
> On Fri, Jun 5, 2015 at 5:23 PM, Al Lewis (allewi) <allewi at ...5...>
> wrote:
>
>>  Hello,
>>
>>
>>
>>                 If the part of what is used to identify the traffic is
>> dropped/missing/intercepted then the application will not be correctly
>> identified all the time. Mid-stream pickup is one of those things where it
>> depends on what needs to be seen before a determination can be made on the
>> type of traffic.
>>
>>
>>
>> So while “missing” traffic from some applications may not affect
>> detection others depend on entire sessions (or at least most of it) to
>> correctly identify applications.
>>
>>
>>
>>
>>
>> Albert Lewis
>>
>> QA Software Engineer
>>
>> SOURCE*fire*, Inc. now part of *Cisco*
>>
>> 9780 Patuxent Woods Drive
>> Columbia, MD 21046
>>
>> Phone: (office) 443.430.7112
>>
>> Email: allewi at ...5...
>>
>>
>>
>> *From:* sripaduka R [mailto:padukaietf at ...8...]
>> *Sent:* Friday, June 05, 2015 5:10 AM
>> *To:* snort-openappid at lists.sourceforge.net
>> *Subject:* Re: [Snort-openappid] Analysis of Traffic Mid-stream
>>
>>
>>
>> Hi  all
>>
>>
>>
>> Since I did not receive any reply ... wanted to know whether I ought to
>> be checking on some other snort mailing list.
>>
>> The question of course is for midstream analysis specific to open appid
>> ...
>>
>>
>>
>> thanks
>>
>> sr
>>
>>
>>
>> On Thu, Jun 4, 2015 at 7:57 PM, sripaduka R <padukaietf at ...8...> wrote:
>>
>> Hi all
>>
>>
>>
>> Is there any experience with the analysis/open appid based detection of
>> traffic
>>
>> based on traffic intercepted mid stream [ as in the first few packets of
>> the stream are dropped prior to reception to snort ] - will the open appid
>> framework be able to figure out the flow & concerned app.
>>
>>
>>
>> What is the probability of a false positive or a false negative in such a
>> scenario
>>
>>
>>
>> thanks
>>
>> sr
>>
>>
>>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-openappid mailing list
> Snort-openappid at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-openappid
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150606/20f28bed/attachment.html>


More information about the Snort-openappid mailing list