OpenAppID for Suricata??
-
@bmeeks Is there a plan to implement this into Suricata or is it only Snort to turn to?
Looking for L7 blocking of apps...
-
@cool_corona said in OpenAppID for Suricata??:
@bmeeks Is there a plan to implement this into Suricata or is it only Snort to turn to?
Looking for L7 blocking of apps...
Suricata offers no such feature at this time. Anything on that front would have to come from upstream. The OpenAppID technology is actually Cisco (formerly Sourcefire) intellectual property they elected to open source a few years ago. Because Snort is owned by Cisco, it was the natural recipient of the open source tech.
OpenAppID is a somewhat complex technology that requires special code inside the inspection engine as well as user-provided rule signatures.
-
@bmeeks Is there any kind of documentation of the install on pfsense and Snort?
-
@cool_corona said in OpenAppID for Suricata??:
@bmeeks Is there any kind of documentation of the install on pfsense and Snort?
There is a general Snort setup guide here: https://docs.netgate.com/pfsense/en/latest/packages/snort/setup.html. It contains a section on configuring OpenAppID.
Be forewarned that using OpenAppID requires two separate, but each necessary, things to be present and downloaded!
First is the Snort OpenAppID detector stubs. You enable those on the GLOBAL SETTINGS tab.
The second requirement is a set of OpenAppID text signatures (rules) which are also enabled on the GLOBAL SETTINGS tab. Those are user-supplied, but for pfSense a user at a University in Brazil provided a set OpenAppID rules that he shared with the pfSense community. That rules package is hosted by Netgate, but the original user no longer keeps it updated. That means newer applications are not present in the rules, and also some startup errors are going to be seen as those older signatures reference some App IDs that the Snort team has now changed the name or spelling of within their detector stubs (the first part of the required pieces that must be present on the firewall).
Finally, you must also go to the PREPROCESSORS tab and enable the OpenAppID preprocessor on the interface where you wish to use OpenAppID.
To get the best experience from OpenAppID you must be willing to edit some of the existing rules and/or create some more of your own as Custom Rules. It is not just plug-and-play (nor enable and sit back). But it is free, and free is not in the vocabulary of Palo Alto, Juniper, Fortigate, and others offering Layer 7 DPI of various types . Also note that this is not true DPI. It is looking at the unencrypted headers to guess the application involved.
-
@bmeeks Awesome info Bill.
Thanks a million!