[Snort-openappid] WhatsApp and OpenAppId

Shayne Civitarese shayne.civitarese at wedgenetworks.com
Wed Nov 1 13:14:57 EDT 2017

I have up until recently been able to use the WhatsApp openappid rules,
which are found in ssl_host_group_drambuie and payload_group_drambuie,
to detect when an image was sent through WhatsApp. Normal chat would not
trigger the rule and neither would a login, both actions I would highly
desire, but sending an image would reliably trigger the WhatsApp rule.
This is no longer working for me.

If you have any suggestions on modifications I could make to once again
detect this action or better yet detect any WhatsApp traffic it would be
greatly appreciated. Please consider implementing greater WhatsApp
detection in your distributed openappid lua scripts if possible.


More information about the Snort-openappid mailing list