[Snort-openappid] SSL app detection with snort open-appid version 2.9.7.6 using reassembled packets

Mike Stepanek (mstepane) mstepane at ...5...
Mon Apr 18 11:48:08 EDT 2016


I think it would be a worthwhile feature, but I'm not sure where it's going to end up in the roadmap... or if 2.x or 3.x would get our best opportunity to get it in.

From: Patrick Yip [mailto:ppatrickyip at ...8...]
Sent: Monday, April 18, 2016 11:36 AM
To: Mike Stepanek (mstepane) <mstepane at ...5...>
Cc: snort-openappid at lists.sourceforge.net
Subject: Re: [Snort-openappid] SSL app detection with snort open-appid version 2.9.7.6 using reassembled packets

Mike,
Thanks for confirming my observations.
Is the feature planned to be in the roadmap for future 2.9 releases?

Patrick

On Mon, Apr 18, 2016 at 7:14 AM, Mike Stepanek (mstepane) <mstepane at ...5...<mailto:mstepane at ...5...>> wrote:
Patrick -

Yes, your observations are accurate.  I'd say that adding that #define in definitely voids the warranty, and mileage may vary in other parts of the code (I don't have specifics off the top of my head).  :)  So, I'd say it's an unsupported feature at the moment.  2.9.8 would play by the same rules.  That code/ifdef/define may just have moved around a bit since then (i.e., the concept is still unsupported).

- Mike

From: Patrick Yip [mailto:ppatrickyip at ...8...<mailto:ppatrickyip at ...8...>]
Sent: Thursday, April 14, 2016 1:47 AM
To: snort-openappid at lists.sourceforge.net<mailto:snort-openappid at lists.sourceforge.net>
Subject: [Snort-openappid] SSL app detection with snort open-appid version 2.9.7.6 using reassembled packets

I am using open-appid in snort version 2.9.7.6 to detect https connections.
A lot of times, open-appid was not able to detect the app because the serverHello packet arrived out of order. Attached is a pcap file when the serverHello packet was received out of order.

I saw there are
#ifdef APP_ID_USES_REASSEMBLED

in src/dynamic-preprocessors/appid/fw_appid.c to switch the code to use REASSEMBLED packets from the stream preprocessor.

Adding
#define APP_ID_USES_REASSEMBLED
in fw_appid.c seems to make the SSL appid detection work better.

Are there any problems or side effects with the APPID_USES_REASSEMBLED flag enabled? Since this flag is not enbaled in the snort 2.9.7.6 source code, is this a supported feature?

Also, the code switch using
#ifdef APP_ID_USES_REASSEMBLED

has disppeared in fw_appid.c with snort version 2.9.8.x. Does snort 2.9.8.x support using stream preprocesor reassembled packets for appid?

Thanks,
Patrick


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20160418/e03a6fef/attachment.html>


More information about the Snort-openappid mailing list