Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenAppID for Suricata??

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Cool_CoronaC
      Cool_Corona
      last edited by

      @bmeeks Is there a plan to implement this into Suricata or is it only Snort to turn to?

      Looking for L7 blocking of apps...

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @Cool_Corona
        last edited by

        @cool_corona said in OpenAppID for Suricata??:

        @bmeeks Is there a plan to implement this into Suricata or is it only Snort to turn to?

        Looking for L7 blocking of apps...

        Suricata offers no such feature at this time. Anything on that front would have to come from upstream. The OpenAppID technology is actually Cisco (formerly Sourcefire) intellectual property they elected to open source a few years ago. Because Snort is owned by Cisco, it was the natural recipient of the open source tech.

        OpenAppID is a somewhat complex technology that requires special code inside the inspection engine as well as user-provided rule signatures.

        Cool_CoronaC 1 Reply Last reply Reply Quote 1
        • Cool_CoronaC
          Cool_Corona @bmeeks
          last edited by

          @bmeeks Is there any kind of documentation of the install on pfsense and Snort?

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @Cool_Corona
            last edited by

            @cool_corona said in OpenAppID for Suricata??:

            @bmeeks Is there any kind of documentation of the install on pfsense and Snort?

            There is a general Snort setup guide here: https://docs.netgate.com/pfsense/en/latest/packages/snort/setup.html. It contains a section on configuring OpenAppID.

            Be forewarned that using OpenAppID requires two separate, but each necessary, things to be present and downloaded!

            First is the Snort OpenAppID detector stubs. You enable those on the GLOBAL SETTINGS tab.

            The second requirement is a set of OpenAppID text signatures (rules) which are also enabled on the GLOBAL SETTINGS tab. Those are user-supplied, but for pfSense a user at a University in Brazil provided a set OpenAppID rules that he shared with the pfSense community. That rules package is hosted by Netgate, but the original user no longer keeps it updated. That means newer applications are not present in the rules, and also some startup errors are going to be seen as those older signatures reference some App IDs that the Snort team has now changed the name or spelling of within their detector stubs (the first part of the required pieces that must be present on the firewall).

            Finally, you must also go to the PREPROCESSORS tab and enable the OpenAppID preprocessor on the interface where you wish to use OpenAppID.

            To get the best experience from OpenAppID you must be willing to edit some of the existing rules and/or create some more of your own as Custom Rules. It is not just plug-and-play (nor enable and sit back). But it is free, and free is not in the vocabulary of Palo Alto, Juniper, Fortigate, and others offering Layer 7 DPI of various types 🙂. Also note that this is not true DPI. It is looking at the unencrypted headers to guess the application involved.

            Cool_CoronaC 1 Reply Last reply Reply Quote 1
            • Cool_CoronaC
              Cool_Corona @bmeeks
              last edited by

              @bmeeks Awesome info Bill.

              Thanks a million!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.