[Snort-users] Commercial Advanced Packet Sniffers, how do they do this? Application signatures?

Richard Bejtlich taosecurity at ...11827...
Fri Jan 22 15:42:09 EST 2010


Hi Dimitri,

As one data point, Bro offers a form of port-independent protocol
identification [1] using Dynamic Protocol Detection [2].

Sincerely,

Richard

[1] http://taosecurity.blogspot.com/2006/09/port-independent-protocol.html
[2] http://bro-ids.org/wiki/index.php/DynamicProtocolDetection

On Fri, Jan 22, 2010 at 3:22 PM, Dimitri Syuoul <dsyuoul at ...11827...> wrote:
> Hello guys,
>
> I was wondering if anybody could give me feedback on these two
> commercial appliances:
>
> http://www.paloaltonetworks.com/solutions/app-control.html
> http://www.bluecoat.com/products/sg
>
>
> It seems these have two key things a.) proxy for 443/80 with SSL
> termination, and b.) an advanced packet sniffer for all the other
> ports
>
>
> Iam interested in B. With over 900 application "signatures" including
> Bittorent, Skype, MSN (which now a days uses multiple ports also)...
> it even lets you block if you want to allow Instant Messaging but not
> allow WebCams inside instant messaging...
>
> I have been breaking my head for days now and Id like to head from the
> people at snort... how exactly would an appliance be able to
> "signature" all these and manipulate them? As far as I Know the
> community has never seen application signatures.. right?
>
> Please do not reply this message and say a standard port base blocking
> does this, because we know it doesnt ;-) specially Skype who can
> connect pretty much on any open port available on the client machine.
>
> Thanks.
>
> --Dimitri
>
> ------------------------------------------------------------------------------
> Throughout its 18-year history, RSA Conference consistently attracts the
> world's best and brightest in the field, creating opportunities for Conference
> attendees to learn about information security's most important issues through
> interactions with peers, luminaries and emerging and established companies.
> http://p.sf.net/sfu/rsaconf-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list