[Snort-openappid] OpenAppID rules (New Call)

Carlos Rodriguez Hernandez crodriguezh.ext at ...109...
Fri Nov 6 05:20:24 EST 2015


Hello everyone,

So at this moment enabling AppID allows you to identify the traffic and
apply specific "ad hoc" rules but doesn't:

1) Enable you to reduce the number of security rules based on specific
traffic profile (say use http rules only when traffic is detected as http)
NOR
2) Reduce or eliminate the need to use portvars as to enable a specific
preprocessor or rule to trigger outside the "typicall" ports

Is this right?

I was thinking into creating a set of OpenAppID rules to detect the
operating system and use that information to feed the Snort Inventory data
(applied to things like normalization) but as you note, enabling AppID of
course has a performance penalty, but I expected it to in contrast improve
the rules efficency and reduce the false positives :disappointed:
Either way, a path to investigate.

Thanks, Carlos

-- 
Carlos Rodríguez Hernández
*Fellow Developer*
redborder.net | +34 609477932



This email, including attachments, is intended exclusively for its
addressee. It contains information that is CONFIDENTIAL whose disclosure is
prohibited by law and may be covered by legal privilege. If you have
received this email in error, please notify the sender and delete it from
your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20151106/f491a836/attachment.html>


More information about the Snort-openappid mailing list