[Snort-openappid] SSL app detection with snort open-appid version 18.104.22.168 using reassembled packets
Mike Stepanek (mstepane)
mstepane at ...5...
Mon Apr 18 11:48:08 EDT 2016
I think it would be a worthwhile feature, but I'm not sure where it's going to end up in the roadmap... or if 2.x or 3.x would get our best opportunity to get it in.
From: Patrick Yip [mailto:ppatrickyip at ...8...]
Sent: Monday, April 18, 2016 11:36 AM
To: Mike Stepanek (mstepane) <mstepane at ...5...>
Cc: snort-openappid at lists.sourceforge.net
Subject: Re: [Snort-openappid] SSL app detection with snort open-appid version 22.214.171.124 using reassembled packets
Thanks for confirming my observations.
Is the feature planned to be in the roadmap for future 2.9 releases?
On Mon, Apr 18, 2016 at 7:14 AM, Mike Stepanek (mstepane) <mstepane at ...5...<mailto:mstepane at ...5...>> wrote:
Yes, your observations are accurate. I'd say that adding that #define in definitely voids the warranty, and mileage may vary in other parts of the code (I don't have specifics off the top of my head). :) So, I'd say it's an unsupported feature at the moment. 2.9.8 would play by the same rules. That code/ifdef/define may just have moved around a bit since then (i.e., the concept is still unsupported).
From: Patrick Yip [mailto:ppatrickyip at ...8...<mailto:ppatrickyip at ...8...>]
Sent: Thursday, April 14, 2016 1:47 AM
To: snort-openappid at lists.sourceforge.net<mailto:snort-openappid at lists.sourceforge.net>
Subject: [Snort-openappid] SSL app detection with snort open-appid version 126.96.36.199 using reassembled packets
I am using open-appid in snort version 188.8.131.52 to detect https connections.
A lot of times, open-appid was not able to detect the app because the serverHello packet arrived out of order. Attached is a pcap file when the serverHello packet was received out of order.
I saw there are
in src/dynamic-preprocessors/appid/fw_appid.c to switch the code to use REASSEMBLED packets from the stream preprocessor.
in fw_appid.c seems to make the SSL appid detection work better.
Are there any problems or side effects with the APPID_USES_REASSEMBLED flag enabled? Since this flag is not enbaled in the snort 184.108.40.206 source code, is this a supported feature?
Also, the code switch using
has disppeared in fw_appid.c with snort version 2.9.8.x. Does snort 2.9.8.x support using stream preprocesor reassembled packets for appid?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-openappid