[Snort-openappid] OpenAppID rules (New Call)
Carlos Rodriguez Hernandez
crodriguezh.ext at ...109...
Fri Nov 6 05:20:24 EST 2015
So at this moment enabling AppID allows you to identify the traffic and
apply specific "ad hoc" rules but doesn't:
1) Enable you to reduce the number of security rules based on specific
traffic profile (say use http rules only when traffic is detected as http)
2) Reduce or eliminate the need to use portvars as to enable a specific
preprocessor or rule to trigger outside the "typicall" ports
Is this right?
I was thinking into creating a set of OpenAppID rules to detect the
operating system and use that information to feed the Snort Inventory data
(applied to things like normalization) but as you note, enabling AppID of
course has a performance penalty, but I expected it to in contrast improve
the rules efficency and reduce the false positives :disappointed:
Either way, a path to investigate.
Carlos Rodríguez Hernández
redborder.net | +34 609477932
This email, including attachments, is intended exclusively for its
addressee. It contains information that is CONFIDENTIAL whose disclosure is
prohibited by law and may be covered by legal privilege. If you have
received this email in error, please notify the sender and delete it from
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-openappid