OpenAppID - what is the application?

michmoor

Is there a way to get further context on what an application is? For example, If i block "google" but keep "gmail" what does that mean? For now im simply monitoring but to get granular in the future i would need to understand what each application contains. All my googling for this information doesnt come up with much.

What is Google or Microsoft here? Very ambiquious

bmeeks

Google "University" is going to be your best friend here... .

Here are some links I found with a quick search:

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/066/original/OpenAppID-Community-Webinar.pdf

Snort.org Blog post from 2014 with lots of useful info

This is from the Snort Mailing List, and contains instructions for locating the defined applications that the AppID rules stubs can detect:

https://seclists.org/snort/2015/q1/720

And lastly, because Cisco/Sourcefire originally created AppID technology, and then later released it as open source via OpenAppID, this link from Cisco contains some helpful info:

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/application_detection.html

michmoor

@bmeeks Thanks Bill. Now you are just showing off your search skills :)

Thanks for this. Im understanding the structure here of how the app writing takes place. Not to difficult to piece together.

You can only detect what you can see. I am not looking forward to TLS1.4 and more from a AppID perspective. ha ha.

bmeeks

@michmoor said in OpenAppID - what is the application?:

@bmeeks Thanks Bill. Now you are just showing off your search skills :)

Thanks for this. Im understanding the structure here of how the app writing takes place. Not to difficult to piece together.

You can only detect what you can see. I am not looking forward to TLS1.4 and more from a AppID perspective. ha ha.

Yeah, not too complicated once you dig into it a little. What I call the AppID stubs that download regularly from the Snort VRT contain the metadata and detection pieces for identifying specific apps. The AppID text rules then reference that metadata and application names in the AppID stubs to generate alerts when specific app traffic comes through. It takes both to make the whole. And the text rules are usually the responsibility of the firewall admin, but that starter list included in the Snort package helps you get a basic setup working out of the box. But as mentioned up above, that starter package is a bit dated now as the maintainer is no longer updating it.