[Snort-openappid] SSL app detection with snort open-appid version 18.104.22.168 using reassembled packets
Mike Stepanek (mstepane)
mstepane at ...5...
Mon Apr 18 10:14:50 EDT 2016
Yes, your observations are accurate. I'd say that adding that #define in definitely voids the warranty, and mileage may vary in other parts of the code (I don't have specifics off the top of my head). :) So, I'd say it's an unsupported feature at the moment. 2.9.8 would play by the same rules. That code/ifdef/define may just have moved around a bit since then (i.e., the concept is still unsupported).
From: Patrick Yip [mailto:ppatrickyip at ...8...]
Sent: Thursday, April 14, 2016 1:47 AM
To: snort-openappid at lists.sourceforge.net
Subject: [Snort-openappid] SSL app detection with snort open-appid version 22.214.171.124 using reassembled packets
I am using open-appid in snort version 126.96.36.199 to detect https connections.
A lot of times, open-appid was not able to detect the app because the serverHello packet arrived out of order. Attached is a pcap file when the serverHello packet was received out of order.
I saw there are
in src/dynamic-preprocessors/appid/fw_appid.c to switch the code to use REASSEMBLED packets from the stream preprocessor.
in fw_appid.c seems to make the SSL appid detection work better.
Are there any problems or side effects with the APPID_USES_REASSEMBLED flag enabled? Since this flag is not enbaled in the snort 188.8.131.52 source code, is this a supported feature?
Also, the code switch using
has disppeared in fw_appid.c with snort version 2.9.8.x. Does snort 2.9.8.x support using stream preprocesor reassembled packets for appid?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-openappid