[Snort-openappid] OpenAppID rules (New Call)

Joel Esler (jesler) jesler at ...5...
Fri Nov 6 05:57:54 EST 2015


Everything has a performance penalty.   It may be big or small.  But I don't think a feature that you want to use should be discarded because it may have a performance penalty.

Openappid can indeed do those things, auto detect protocols, etc, and you should give it a shot.  Don't be discouraged because something may have a penalty.

--
Joel Esler
Manager, Talos
Sent from my iPhone

On Nov 6, 2015, at 5:51 AM, Carlos Rodriguez Hernandez <crodriguezh.ext at ...39...109...<mailto:crodriguezh.ext at ...109...>> wrote:

Hello everyone,

So at this moment enabling AppID allows you to identify the traffic and apply specific "ad hoc" rules but doesn't:

1) Enable you to reduce the number of security rules based on specific traffic profile (say use http rules only when traffic is detected as http) NOR
2) Reduce or eliminate the need to use portvars as to enable a specific preprocessor or rule to trigger outside the "typicall" ports

Is this right?

I was thinking into creating a set of OpenAppID rules to detect the operating system and use that information to feed the Snort Inventory data (applied to things like normalization) but as you note, enabling AppID of course has a performance penalty, but I expected it to in contrast improve the rules efficency and reduce the false positives :disappointed:
Either way, a path to investigate.

Thanks, Carlos

--
Carlos Rodr?guez Hern?ndez
Fellow Developer
redborder.net<http://redborder.net/> | +34 609477932

[http://p3.zdassets.com/hc/settings_assets/596025/200071372/3Iv4KNwd4hpnPRuwLuoExA-Logo_redBorder_Absolute_Visibility_Normal.png]

This email, including attachments, is intended exclusively for its addressee. It contains information that is CONFIDENTIAL whose disclosure is prohibited by law and may be covered by legal privilege. If you have received this email in error, please notify the sender and delete it from your system.
------------------------------------------------------------------------------
_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net<mailto:Snort-openappid at ...12...rge.net>
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20151106/d393d9fb/attachment.html>


More information about the Snort-openappid mailing list