OpenAppID LUA libraries

michmoor · Mar 10, 2023, 9:54 PM

Its been some time since ive looked at this.
Are the OpenAppID application detectors updated automatically as soon as a Snort release is available/
Also, where can i find the new AppID detectors? Say i want to ban all tiktok. Where can i find that app so i can write the rule for it?

bmeeks · Mar 11, 2023, 1:12 AM

Information on OpenAppID is kind of sparse. There are a couple of old Snort website blogs from 2014 that discuss it a little. Here is one of those articles: https://blog.snort.org/2014/03/firing-up-openappid.html.

OpenAppID has two separate components. One is the app detector stubs that get downloaded with rules updates. I don't know how often the Snort team actually updates those stubs. The other piece of OpenAppID is the rules that reference the app ID stubs and scan the traffic to generate alerts. Those do NOT come down from Snort. You either write your own, or you can use the community-submitted set available on the GLOBAL SETTINGS page. That set of OpenAppID rules was created many years ago by a team at a university in Brazil. They maintained them for a while, and the Netgate folks hosted the archive on a Netgate server. But the university team eventually quit updating the rules, so they are probably badly outdated now. I know for a fact they have some typos in app names and also have app names that no longer match those coming down in the Snort app detector stubs.

I suspect the Snort VRT is concentrating the bulk of their effort into Snort3 and not paying much attention to backporting new things into Snort 2.9.x. We use only Snort 2.9.x on pfSense. There is no work going on to create a Snort3 pfSense package. At some point I am sure the upstream Snort crew will pull the plug on updating Snort 2.9.x. At that point, Snort will cease to exist on pfSense unless someone picks up the challenge of developing a Snort3 package for pfSense.

michmoor · Mar 11, 2023, 1:12 AM

@bmeeks Gotcha. Was hoping to work in a workflow with denying applications but i should put the breaks on that. Ok no biggie.
Appreciate the detailed response !

bmeeks · Mar 11, 2023, 9:49 PM

The best outcome in my opinion would be if something akin to OpenAppID was added into Suricata. That would be a task for Suricata upstream to tackle.

michmoor · Mar 11, 2023, 9:55 PM

@bmeeks yep. They are correctly concentrating on the IDS.

For what it’s worth, app filtering should take place on the endpoint much like ssl inspection. So perhaps not a great loss