application protocol identification
Carter Bullard
carter at qosient.com
Thu Jul 11 13:22:37 EDT 2013
We have raservices() that does a good job, but the signature file is a bit difficult to manage, and the documentation is poor.
I like CS Lee's suggestion, but we should be able to support OpenDPI, as well as nDPI, if we go down that route. I'll look at this, but raservices() in conjunction with rauserdata() does do a decent job at this problem, since it guesses if it doesn't have a distinct match. Finds families of protocols, or what some have described as protocol strategies.
Carter
On Jul 11, 2013, at 1:12 PM, Harry Hoffman <hhoffman at ip-solutions.net> wrote:
> I'm *very interested* in this, whether using this library or something else.
>
> Most of this happens via IDS now but being able to accurately classify
> this in argus would be superb!
>
> Cheers,
> Harry
>
> On 07/11/2013 03:02 AM, CS Lee wrote:
>> hi Carter,
>>
>> Haven't discussed anything in a while over here but I do follow the mailing
>> list and seeing many exciting features implemented in argus.
>>
>> I have always used port based identification for network protocols
>> identification(e.g, port 80 = www, port 22 = ssh), however with dynamic
>> behaviour of network today, this no longer hold true, many applications are
>> running through non-standard ports and it makes life tougher especially
>> with p2p application around.
>>
>> Will it be possible for argus to make use of ndpi to perform protocol
>> identification -
>>
>> http://www.ntop.org/products/ndpi/
>>
>> I'm not sure if people in the list are interested in this, to me it looks
>> very promising and can be a boost to argus since many commercial
>> applications start to implement non-port based protocol identification.
>>
>> Cheers
>
More information about the argus
mailing list