Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x)

[文浩 via Snort-devel <snort-devel () lists snort org>]

our own OpenAppID engine  is not flexible enough ,If you can support multiple fields and per site 。and  single ip or 
port and  pktlen etc，the lua rule Writing more flexibly would be better。
















At 2021-08-30 23:07:05, "Costas Kleopa (ckleopa)" <ckleopa () cisco com> wrote:

We can certainly look into this in the future, for any roadmap integration or application comparisons,

but at this point our biggest focus is our own OpenAppID engine implementation

and the respective application coverage.

 

When it comes to ndpi they seem to offer about 246 different application/protocols vs

OpenAppID which at this point we were able to open source around 2,971+ applications.

 

Thanks

Costas

 

 

From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of 文浩 via Snort-devel <snort-devel () lists snort 
org>
Date: Monday, August 30, 2021 at 5:09 AM
To: mike tancsa <mike () sentex net>
Cc: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: Re: [Snort-devel] AppID and OpenVPN (snort 3 on FreeBSD 12.x)

the ndpi, to integrating the ndpi into Snort as a plugin.  Now that you have that idea why don't you integrate ndpi 
into VPP ?

 

 

 

 

 


At 2021-08-15 22:54:16, "mike tancsa" <mike () sentex net> wrote:
> On 8/13/2021 10:46 AM, Shravan Rangarajuvenkata (shrarang) wrote:
> > I think I added the port to the right location
> > (content_group_port_services_2pac_old.lua)
> >
> >     -- OpenVPN
> >     {353, 1194, 6},
> >     {353, 1194, 17},
> >     {353, 11600, 17},
> >
> > />>> This looks good to me. After making this change, did you do one
> > of the following:/
> >
> >   * /Issue appid.reload_detectors command/
> >   * /Restart snort/
> >
> > /One of the above needs to be done for the change to take effect. If
> > you have already done this and you still don’t see OpenVPN getting
> > detected, please send us a pcap and we will investigate it./
> Thanks for the reply. Yes, I did indeed restart snort but no luck. I
> will generate a pcap and send it in another email.
>
> >  
> >
> > Also, is it all just port based, or does the AppID engine have enough
> > smarts to recognize the protocol if its running on an arbitrary port ?
> >
> > />>> AppId does Deep Packet Inspection (DPI). It can detect
> > applications running on non-standard ports. However, for an
> > application where we don’t have unique patterns to identify it, we
> > sometimes resort to port-based detection. OpenVPN is one such
> > application./
> >
> >  
> I was also playing around with ndpi (based on opendpi) via the ndpi
> reader. (https://www.ntop.org/products/deep-packet-inspection/ndpi/) and
> it seems to have really excellent application layer coverage. Is there
> any thought as to integrating this into Snort as a plugin somehow ?
>
>    ---Mike
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!







_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!