Snort mailing list archives
Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x)
From: 文浩 via Snort-devel <snort-devel () lists snort org>
Date: Tue, 31 Aug 2021 09:13:20 +0800 (CST)
our own OpenAppID engine is not flexible enough ,If you can support multiple fields and per site 。and single ip or port and pktlen etc,the lua rule Writing more flexibly would be better。 At 2021-08-30 23:07:05, "Costas Kleopa (ckleopa)" <ckleopa () cisco com> wrote: We can certainly look into this in the future, for any roadmap integration or application comparisons, but at this point our biggest focus is our own OpenAppID engine implementation and the respective application coverage. When it comes to ndpi they seem to offer about 246 different application/protocols vs OpenAppID which at this point we were able to open source around 2,971+ applications. Thanks Costas From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of 文浩 via Snort-devel <snort-devel () lists snort org> Date: Monday, August 30, 2021 at 5:09 AM To: mike tancsa <mike () sentex net> Cc: snort-devel () lists snort org <snort-devel () lists snort org> Subject: Re: [Snort-devel] AppID and OpenVPN (snort 3 on FreeBSD 12.x) the ndpi, to integrating the ndpi into Snort as a plugin. Now that you have that idea why don't you integrate ndpi into VPP ? At 2021-08-15 22:54:16, "mike tancsa" <mike () sentex net> wrote:
On 8/13/2021 10:46 AM, Shravan Rangarajuvenkata (shrarang) wrote:I think I added the port to the right location (content_group_port_services_2pac_old.lua) -- OpenVPN {353, 1194, 6}, {353, 1194, 17}, {353, 11600, 17}, />>> This looks good to me. After making this change, did you do one of the following:/ * /Issue appid.reload_detectors command/ * /Restart snort/ /One of the above needs to be done for the change to take effect. If you have already done this and you still don’t see OpenVPN getting detected, please send us a pcap and we will investigate it./Thanks for the reply. Yes, I did indeed restart snort but no luck. I will generate a pcap and send it in another email.Also, is it all just port based, or does the AppID engine have enough smarts to recognize the protocol if its running on an arbitrary port ? />>> AppId does Deep Packet Inspection (DPI). It can detect applications running on non-standard ports. However, for an application where we don’t have unique patterns to identify it, we sometimes resort to port-based detection. OpenVPN is one such application./I was also playing around with ndpi (based on opendpi) via the ndpi reader. (https://www.ntop.org/products/deep-packet-inspection/ndpi/) and it seems to have really excellent application layer coverage. Is there any thought as to integrating this into Snort as a plugin somehow ? ---Mike _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- AppID and OpenVPN (snort 3 on FreeBSD 12.x) mike tancsa (Aug 13)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) Shravan Rangarajuvenkata (shrarang) via Snort-devel (Aug 13)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) mike tancsa (Aug 15)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) 文浩 via Snort-devel (Aug 30)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) Costas Kleopa (ckleopa) via Snort-devel (Aug 30)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) 文浩 via Snort-devel (Aug 30)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) mike tancsa (Aug 15)
- Re: AppID and OpenVPN (snort 3 on FreeBSD 12.x) Shravan Rangarajuvenkata (shrarang) via Snort-devel (Aug 13)