I went through the ntopng code that I had mentioned last week, but I couldn’t gain a lot of information from it. So, I decided to dump it and proceed with writing code for my project.
I have made a short list of applications to identify for now. The identification part will be done by analysing individual packets, and performing patter matching, or fingerprinting on them.
So, lets say that I identify that a web-server is running on some host. The idea is to not just identify what kind of a web-server (ex: apache, nginx etc) is running, but also what kind of application is running on the web-server! Examples could be wordpress, vbulletin, joomla etc.
I have written how to identify wordpress sites, SQL servers and a couple others and I will now extend this type of analysis to identify as many applications as possible.
-> Identifying WordPress: Check the GET request, parse the URI. If wp-* found, identify it as a wordpress site.
-> Identifying SQL server: Look into TCP packet payload, if ‘sql’ is seen anywhere, and then see if ‘client’ is further present. If yes, take destination as SQL server. Another way to verify/identify is to search for SQL statements like select etc in the TCP payload. Destination address will be the SQL server.