Snort mailing list archives

Re: Commercial Advanced Packet Sniffers, how do they do this? Application signatures?


From: Richard Bejtlich <taosecurity () gmail com>
Date: Fri, 22 Jan 2010 15:42:09 -0500

Hi Dimitri,

As one data point, Bro offers a form of port-independent protocol
identification [1] using Dynamic Protocol Detection [2].

Sincerely,

Richard

[1] http://taosecurity.blogspot.com/2006/09/port-independent-protocol.html
[2] http://bro-ids.org/wiki/index.php/DynamicProtocolDetection

On Fri, Jan 22, 2010 at 3:22 PM, Dimitri Syuoul <dsyuoul () gmail com> wrote:
Hello guys,

I was wondering if anybody could give me feedback on these two
commercial appliances:

http://www.paloaltonetworks.com/solutions/app-control.html
http://www.bluecoat.com/products/sg


It seems these have two key things a.) proxy for 443/80 with SSL
termination, and b.) an advanced packet sniffer for all the other
ports


Iam interested in B. With over 900 application "signatures" including
Bittorent, Skype, MSN (which now a days uses multiple ports also)...
it even lets you block if you want to allow Instant Messaging but not
allow WebCams inside instant messaging...

I have been breaking my head for days now and Id like to head from the
people at snort... how exactly would an appliance be able to
"signature" all these and manipulate them? As far as I Know the
community has never seen application signatures.. right?

Please do not reply this message and say a standard port base blocking
does this, because we know it doesnt ;-) specially Skype who can
connect pretty much on any open port available on the client machine.

Thanks.

--Dimitri

------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


Current thread: