[Snort-openappid] SSL app detection with snort open-appid version 2.9.7.6 using reassembled packets

Patrick Yip ppatrickyip at ...8...
Mon Apr 18 11:35:44 EDT 2016


Mike,
Thanks for confirming my observations.
Is the feature planned to be in the roadmap for future 2.9 releases?

Patrick

On Mon, Apr 18, 2016 at 7:14 AM, Mike Stepanek (mstepane) <
mstepane at ...5...> wrote:

> Patrick -
>
>
>
> Yes, your observations are accurate.  I'd say that adding that #define in
> definitely voids the warranty, and mileage may vary in other parts of the
> code (I don't have specifics off the top of my head).  :)  So, I'd say it's
> an unsupported feature at the moment.  2.9.8 would play by the same rules.
> That code/ifdef/define may just have moved around a bit since then (i.e.,
> the concept is still unsupported).
>
>
>
> - Mike
>
>
>
> *From:* Patrick Yip [mailto:ppatrickyip at ...8...]
> *Sent:* Thursday, April 14, 2016 1:47 AM
> *To:* snort-openappid at lists.sourceforge.net
> *Subject:* [Snort-openappid] SSL app detection with snort open-appid
> version 2.9.7.6 using reassembled packets
>
>
>
> I am using open-appid in snort version 2.9.7.6 to detect https connections.
>
> A lot of times, open-appid was not able to detect the app because the
> serverHello packet arrived out of order. Attached is a pcap file when the
> serverHello packet was received out of order.
>
>
>
> I saw there are
>
> #ifdef APP_ID_USES_REASSEMBLED
>
>
>
> in src/dynamic-preprocessors/appid/fw_appid.c to switch the code to use
> REASSEMBLED packets from the stream preprocessor.
>
>
>
> Adding
>
> #define APP_ID_USES_REASSEMBLED
>
> in fw_appid.c seems to make the SSL appid detection work better.
>
>
>
> Are there any problems or side effects with the APPID_USES_REASSEMBLED
> flag enabled? Since this flag is not enbaled in the snort 2.9.7.6 source
> code, is this a supported feature?
>
>
>
> Also, the code switch using
>
> #ifdef APP_ID_USES_REASSEMBLED
>
>
>
> has disppeared in fw_appid.c with snort version 2.9.8.x. Does snort
> 2.9.8.x support using stream preprocesor reassembled packets for appid?
>
>
>
> Thanks,
>
> Patrick
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20160418/8591299b/attachment.html>


More information about the Snort-openappid mailing list