[Snort-openappid] SSL app detection with snort open-appid version 2.9.7.6 using reassembled packets

Patrick Yip ppatrickyip at ...8...
Thu Apr 14 01:46:40 EDT 2016


I am using open-appid in snort version 2.9.7.6 to detect https connections.
A lot of times, open-appid was not able to detect the app because the
serverHello packet arrived out of order. Attached is a pcap file when the
serverHello packet was received out of order.

I saw there are
#ifdef APP_ID_USES_REASSEMBLED

in src/dynamic-preprocessors/appid/fw_appid.c to switch the code to use
REASSEMBLED packets from the stream preprocessor.

Adding
#define APP_ID_USES_REASSEMBLED
in fw_appid.c seems to make the SSL appid detection work better.

Are there any problems or side effects with the APPID_USES_REASSEMBLED flag
enabled? Since this flag is not enbaled in the snort 2.9.7.6 source code,
is this a supported feature?

Also, the code switch using
#ifdef APP_ID_USES_REASSEMBLED

has disppeared in fw_appid.c with snort version 2.9.8.x. Does snort 2.9.8.x
support using stream preprocesor reassembled packets for appid?

Thanks,
Patrick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20160413/3b01b7e9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: https-trace.pcap
Type: application/octet-stream
Size: 8523 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20160413/3b01b7e9/attachment.obj>


More information about the Snort-openappid mailing list