[Snort-openappid] SSL app detection with snort open-appid version using reassembled packets

Mike Stepanek (mstepane) mstepane at ...5...
Mon Apr 18 11:48:08 EDT 2016

I think it would be a worthwhile feature, but I'm not sure where it's going to end up in the roadmap... or if 2.x or 3.x would get our best opportunity to get it in.

From: Patrick Yip [mailto:ppatrickyip at ...8...]
Sent: Monday, April 18, 2016 11:36 AM
To: Mike Stepanek (mstepane) <mstepane at ...5...>
Cc: snort-openappid at lists.sourceforge.net
Subject: Re: [Snort-openappid] SSL app detection with snort open-appid version using reassembled packets

Thanks for confirming my observations.
Is the feature planned to be in the roadmap for future 2.9 releases?


On Mon, Apr 18, 2016 at 7:14 AM, Mike Stepanek (mstepane) <mstepane at ...5...<mailto:mstepane at ...5...>> wrote:
Patrick -

Yes, your observations are accurate.  I'd say that adding that #define in definitely voids the warranty, and mileage may vary in other parts of the code (I don't have specifics off the top of my head).  :)  So, I'd say it's an unsupported feature at the moment.  2.9.8 would play by the same rules.  That code/ifdef/define may just have moved around a bit since then (i.e., the concept is still unsupported).

- Mike

From: Patrick Yip [mailto:ppatrickyip at ...8...<mailto:ppatrickyip at ...8...>]
Sent: Thursday, April 14, 2016 1:47 AM
To: snort-openappid at lists.sourceforge.net<mailto:snort-openappid at lists.sourceforge.net>
Subject: [Snort-openappid] SSL app detection with snort open-appid version using reassembled packets

I am using open-appid in snort version to detect https connections.
A lot of times, open-appid was not able to detect the app because the serverHello packet arrived out of order. Attached is a pcap file when the serverHello packet was received out of order.

I saw there are

in src/dynamic-preprocessors/appid/fw_appid.c to switch the code to use REASSEMBLED packets from the stream preprocessor.

in fw_appid.c seems to make the SSL appid detection work better.

Are there any problems or side effects with the APPID_USES_REASSEMBLED flag enabled? Since this flag is not enbaled in the snort source code, is this a supported feature?

Also, the code switch using

has disppeared in fw_appid.c with snort version 2.9.8.x. Does snort 2.9.8.x support using stream preprocesor reassembled packets for appid?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20160418/e03a6fef/attachment.html>

More information about the Snort-openappid mailing list