application protocol identification

Matt Brown matthewbrown at gmail.com
Fri Jul 12 08:42:40 EDT 2013


Carter,

I don't think OpenDPI is available anymore.  I quickly looked over the
nDPI classes the other week when we were discussing raservices and
rauserdata.

It looks like they are simply protocol identifiers considering payload
and dst port, which there have to be many more a "database."  Seems
reasonable to be able to produce a raservices.conf from the classes.

What do you think?


Thanks,

Matt



On Jul 11, 2013, at 1:23 PM, Carter Bullard <carter at qosient.com> wrote:

> We have raservices() that does a good job, but the signature file is a bit difficult to manage, and the documentation is poor.
>
> I like CS Lee's suggestion, but we should be able to support OpenDPI, as well as nDPI, if we go down that route.  I'll look at this, but raservices() in conjunction with rauserdata() does do a decent job at this problem, since it guesses if it doesn't have a distinct match.  Finds families of protocols, or what some have described as protocol strategies.
>
> Carter
>
> On Jul 11, 2013, at 1:12 PM, Harry Hoffman <hhoffman at ip-solutions.net> wrote:
>
>> I'm *very interested* in this, whether using this library or something else.
>>
>> Most of this happens via IDS now but being able to accurately classify
>> this in argus would be superb!
>>
>> Cheers,
>> Harry
>>
>> On 07/11/2013 03:02 AM, CS Lee wrote:
>>> hi Carter,
>>>
>>> Haven't discussed anything in a while over here but I do follow the mailing
>>> list and seeing many exciting features implemented in argus.
>>>
>>> I have always used port based identification for network protocols
>>> identification(e.g, port 80 = www, port 22 = ssh), however with dynamic
>>> behaviour of network today, this no longer hold true, many applications are
>>> running through non-standard ports and it makes life tougher especially
>>> with p2p application around.
>>>
>>> Will it be possible for argus to make use of ndpi to perform protocol
>>> identification -
>>>
>>> http://www.ntop.org/products/ndpi/
>>>
>>> I'm not sure if people in the list are interested in this, to me it looks
>>> very promising and can be a boost to argus since many commercial
>>> applications start to implement non-port based protocol identification.
>>>
>>> Cheers
>>



More information about the argus mailing list