[Snort-openappid] SSL app detection with snort open-appid version 2.9.7.6 using reassembled packets

Mike Stepanek (mstepane) mstepane at ...5...
Mon Apr 18 10:14:50 EDT 2016


Patrick -

Yes, your observations are accurate.  I'd say that adding that #define in definitely voids the warranty, and mileage may vary in other parts of the code (I don't have specifics off the top of my head).  :)  So, I'd say it's an unsupported feature at the moment.  2.9.8 would play by the same rules.  That code/ifdef/define may just have moved around a bit since then (i.e., the concept is still unsupported).

- Mike

From: Patrick Yip [mailto:ppatrickyip at ...8...]
Sent: Thursday, April 14, 2016 1:47 AM
To: snort-openappid at lists.sourceforge.net
Subject: [Snort-openappid] SSL app detection with snort open-appid version 2.9.7.6 using reassembled packets

I am using open-appid in snort version 2.9.7.6 to detect https connections.
A lot of times, open-appid was not able to detect the app because the serverHello packet arrived out of order. Attached is a pcap file when the serverHello packet was received out of order.

I saw there are
#ifdef APP_ID_USES_REASSEMBLED

in src/dynamic-preprocessors/appid/fw_appid.c to switch the code to use REASSEMBLED packets from the stream preprocessor.

Adding
#define APP_ID_USES_REASSEMBLED
in fw_appid.c seems to make the SSL appid detection work better.

Are there any problems or side effects with the APPID_USES_REASSEMBLED flag enabled? Since this flag is not enbaled in the snort 2.9.7.6 source code, is this a supported feature?

Also, the code switch using
#ifdef APP_ID_USES_REASSEMBLED

has disppeared in fw_appid.c with snort version 2.9.8.x. Does snort 2.9.8.x support using stream preprocesor reassembled packets for appid?

Thanks,
Patrick

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20160418/45259783/attachment.html>


More information about the Snort-openappid mailing list