Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenAppID LUA libraries

    IDS/IPS
    2
    5
    82
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor
      last edited by

      Its been some time since ive looked at this.
      Are the OpenAppID application detectors updated automatically as soon as a Snort release is available/
      Also, where can i find the new AppID detectors? Say i want to ban all tiktok. Where can i find that app so i can write the rule for it?

      Firewall: NetGate 6100/7100U, Palo Alto
      Routing: Juniper MX204 , Arista 7050X3
      Switching: Juniper EX/QFX. Arista 7050SX
      Wireless: Unifi, Aruba IAP

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Information on OpenAppID is kind of sparse. There are a couple of old Snort website blogs from 2014 that discuss it a little. Here is one of those articles: https://blog.snort.org/2014/03/firing-up-openappid.html.

        OpenAppID has two separate components. One is the app detector stubs that get downloaded with rules updates. I don't know how often the Snort team actually updates those stubs. The other piece of OpenAppID is the rules that reference the app ID stubs and scan the traffic to generate alerts. Those do NOT come down from Snort. You either write your own, or you can use the community-submitted set available on the GLOBAL SETTINGS page. That set of OpenAppID rules was created many years ago by a team at a university in Brazil. They maintained them for a while, and the Netgate folks hosted the archive on a Netgate server. But the university team eventually quit updating the rules, so they are probably badly outdated now. I know for a fact they have some typos in app names and also have app names that no longer match those coming down in the Snort app detector stubs.

        I suspect the Snort VRT is concentrating the bulk of their effort into Snort3 and not paying much attention to backporting new things into Snort 2.9.x. We use only Snort 2.9.x on pfSense. There is no work going on to create a Snort3 pfSense package. At some point I am sure the upstream Snort crew will pull the plug on updating Snort 2.9.x. At that point, Snort will cease to exist on pfSense unless someone picks up the challenge of developing a Snort3 package for pfSense.

        M 1 Reply Last reply Reply Quote 1
        • M
          michmoor @bmeeks
          last edited by

          @bmeeks Gotcha. Was hoping to work in a workflow with denying applications but i should put the breaks on that. Ok no biggie.
          Appreciate the detailed response !

          Firewall: NetGate 6100/7100U, Palo Alto
          Routing: Juniper MX204 , Arista 7050X3
          Switching: Juniper EX/QFX. Arista 7050SX
          Wireless: Unifi, Aruba IAP

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            The best outcome in my opinion would be if something akin to OpenAppID was added into Suricata. That would be a task for Suricata upstream to tackle.

            M 1 Reply Last reply Reply Quote 0
            • M
              michmoor @bmeeks
              last edited by

              @bmeeks yep. They are correctly concentrating on the IDS.

              For what it’s worth, app filtering should take place on the endpoint much like ssl inspection. So perhaps not a great loss

              Firewall: NetGate 6100/7100U, Palo Alto
              Routing: Juniper MX204 , Arista 7050X3
              Switching: Juniper EX/QFX. Arista 7050SX
              Wireless: Unifi, Aruba IAP

              1 Reply Last reply Reply Quote 0
              • First post
                Last post