@garyd I did eventually get Snort's Open App ID with full text rules running. My text rules I call the sorcerers code file, anyway it was able to show the applications that were running without any use over the network and pinpoint it to my Android smartphone. I got a new phone it stopped. Again, I knew it was there my goal was to find a way to stop it globally something I could report. Yes Snort's appID was the closest as you can detect the app use. Again, it does not list containers used.
I was researching this over summer break and found you can use pf to detect the OS in use in the tcp stack if you want to check this out. All for the goal of a more secure system. But it requires a OS container database much like a blacklist for this to function again this is similar to AppID with the text files.
Screenshot 2024-01-24 at 18.33.20.png
Screenshot 2024-01-24 at 18.41.02.jpg
Screenshot 2024-01-24 at 18.34.17.png
Screenshot 2024-01-24 at 18.34.26.png
Screenshot 2024-01-24 at 18.34.38.png
Screenshot 2024-01-24 at 18.34.46.png
Screenshot 2024-01-24 at 18.34.55.png
Screenshot 2024-01-24 at 18.35.05.png
So any containers can be detected this way. What I want to do is set up a signature of what I use and start to block the bad ones. Least privilege approval. I am sure some are real and needed but some are unknown also.
I had a big one in my NAS that was found the other day also. Got that issue fixed.