-
Notifications
You must be signed in to change notification settings - Fork 3
OpenAppID Explained
Introduced in 2014 by Snort author and Sourcefire founder Martin Roesch, OpenAppID is an application-focused detection language and processing module for Snort. Quoting the original blog post by Martin Roesch:
“OpenAppID puts control in the hands of users, allowing them to control application usage in their network environments and eliminating the risk that comes with waiting for vendors to issue updates. Practically speaking, we’re making it possible for people to build their own open source Next-Generation Firewalls.”
It is important to remember that OpenAppID provides application identification and not threat detection. We strongly recommend reading the entire blog post by Martin found here.
OpenAppID consists of a set of LUA libraries for detecting applications, as well as the application detectors themselves. To enable OpenAppID in the Snort package for pfSense, Bill Meeks has integrated all the necessary AppID stubs and LUA scripts to enable OpenAppID to function. However, in order to employ these signatures, it is necessary to create text rules similar to any other custom Snort rule, with the difference being the “appid” keyword in the rule. The appid keyword can be embedded in any rule to match only on traffic already identified as a specific application.
These rules reference the various application IDs provided by the VRT (Vulnerability Research Team) in your rules. In order to actually use OpenAppID you need to get the App ID stubs from VRT and then create text rules that reference the App ID’s. However, the actual application detection rules for analyzing traffic are not provided by Cisco or Snort.
This is where, once again, our community shines. A pfSense user and community member named Demair Ramos created a large collection of text rules that use the AppIDs provided by VRT. Demair even hosted the rules he created on his university’s server in Brazil, but this server has limited bandwidth, and implements geo-blocking to preserve the same. Working with Bill, Demair and our developer Renato Botelho do Couto created a new ‘mirror’ of this rulebase on our infrastructure, and Bill has changed the Snort package for pfSense to use them, and pfSense-package-snort v3.2.9.5_4 or later has the updated changes.
In pfSense, OpenAppID can successfully detect, and if configured to do so, block over 2600 different services like Facebook, Netflix, Twitter, and Reddit. The package can be installed from the pfSense Package Manager and configured via the existing Snort GUI. Those familiar with snort should find the interface for working with OpenAppID detectors and rules familiar and easy to use.
We have recently updated our Snort guide for pfSense and added a brand new section covering Application ID, which can be found here.
Our plan for OpenAppID is not limited to pfSense, we intend to enable it for our upcoming advanced platforms that use Cisco’s VPP and DPDK. More on this subject in the future.
We would like to express our sincere gratitude to our contributors Bill Meeks and Demair Ramos for making pfSense application aware, as well as thank Cisco’s Martin Roesch for his vision and work enabling true NGFW functionality for pfSense software.
Harnessing the power of open source and community, Cisco today announced that the company is delivering the ability to create and integrate new open source application identification capabilities into its Snort engine through the release of OpenAppID. Open source application detection and control allows users to create, share and implement custom application detection so that they can address new app-based threats as quickly as possible.
Open source application detection and control is enabled by Cisco’s new OpenAppID application-focused detection language. OpenAppID provides application visibility, accelerates development of application detectors, and controls and empowers the community to share detectors for greater protection. As new applications are developed and introduced into corporate environments at an unprecedented rate, this new language provides users with increased flexibility to control new or custom apps on the network. OpenAppID is especially important for organizations utilizing custom-built or specialized applications and those in highly regulated industries that require the highest levels of identification and control.
“As a long-time Snort user, we rely on the flexibility, transparency and control that open source tools give us to better protect our entire environment,” said Kevin A. Kerr, Chief Information Security Officer and Senior Advisor, Risk Management at Oak Ridge National Laboratory. "While proprietary systems leave us beholden to update cycles and priorities, open source allows us to tailor protection at our convenience. By delivering application detection and control to the open source community, Cisco is empowering users with the ability to create custom application detectors and take action to address new threats in real time."
OpenAppID will accelerate and expand the breadth of application detection, by facilitating open community sharing and enhancement of new application detectors. It also supports the following critical capabilities:
- Application Detection/Reporting ‑ OpenAppID enables Snort users to utilize the new OpenAppID detectors to detect and identify applications, and to report on application use.
- Application Context associated with network intrusion events ‑ By providing application-layer context with security-related events, OpenAppID helps to enhance analysis and speed remediation.
- Actionable Application Detection and Control ‑ OpenAppID enables Snort to block or alert on detection of certain applications. This helps to reduce risks by managing total threat surface.
Martin Roesch, creator of Snort and Vice President and Chief Architect, Cisco Security Business Group, said, “Open source is very important because it creates real collaboration and trust between vendors and the experts that are tasked with addressing advanced and aggressive threats. By open sourcing application visibility and control, Cisco is empowering the community to create technically superior solutions to address their most complex and unique security challenges.”
As part of this announcement, Cisco is delivering a special release of the Snort engine that includes the new OpenAppID preprocessor. This enables the Snort community to begin working with OpenAppID to build application detectors. Included with a future general release of Snort, the OpenAppID-enabled preprocessor supports:
- Detection of applications on the network
- Reporting on the usage statistics of apps (traffic)
- Blocking of applications by policy
- Extensions to the Snort rule language to enable application specification
- Reporting of an “App Name” along with IPS events
In addition, a library of more than 1,000 OpenAppID detectors will be available at no charge through the Snort community at http://www.snort.org. Any community member may contribute additional detectors, including end user organizations with custom applications that are not commercially available.
Cisco's commitment to open source security projects, including Snort and ClamAV, provides users and developers the ability to engage and strengthen their solutions, while demonstrating technical excellence and providing rapid threat protection. The acquisition of Sourcefire has strengthened Cisco's extensive contributions to the open source software development community.
Cisco Sourcefire recently announced that their Snort open source IDS/IPS 2.9.7 will now support free application visibility and control, called OpenAppID. It will be fully integrated into the current Snort framework and offers a new application preprocessor and keyword 'appid' that can be used in any Snort rule. OpenAppID will launch with detection for over 1400+ applications, providing Snort admins with much needed awareness of the applications on their networks. The Snort application information can also be sent to 3rd party analytics or SIEM tools.
The defacto industry standard rule language for IDS/IPS has been Sourcefire's Snort open source technology. So this OpenAppId release begs the question; can Snort do it again in the application visibility and control space? Will Snort become the standard for application detection signatures?Application awareness has been largely dominated by the NGFW (next-generation firewall) market so far and is one of the major factors that market has sky rocketed. You couldn't swing a stick at the latest RSA conference without hitting a vendor with a NGFW offering to tell you about. So what happens now that the largest open source security project has now begun to offer a for free AVC solution to the market? Will the Snort community rush to adopt the OpenAppID features released in Snort version 2.9.7? If we look at the history of the Snort community it is very likely that they will. If they do, will the NGFW and NGIPS markets follow their customers and implement support for OpenAppID as well? Could be a game changer for the viability of AVC as a security tool.
Why do we need a defacto standard for AVC? Because today customers don't know, aren't allowed to view, what makes up the AVC signatures found in their NGFW or NGIPS devices. You just have to trust that they are well written and not easily subverted or hijacked. In some cases, the NGFW industry is telling you that AVC is the cornerstone achievement of the next level of firewall-like protections. And that understanding the application, at layer 7, is required to adequately lock down your network security. But at the same time the exact methods, signatures and techniques being used to correctly identify these applications is hidden from the administrator/customer. That means that the customer is working on good faith that the vendor has done a good job with app visibility. Never a good position to be in. Hopefully OpenAppID will lift the curtain of AVC secrecy and force all AVC vendors to disclose their signatures and methods. Snort already did that for IDS/IPS and I hope it will do it again for AVC. Now that the industry has an open source community formed to create, share and evaluate application detection signatures and methods, administrators will have knowledge they need to be able to determine the true robustness and security usefulness of this technology.
Many are under the impression that the underlying technology behind AVC is complex and robust enough to accurately both identify applications correctly and prevent things like application masquerading by malware to avoid detection and slip through your application based security policy. Unlike a traditional firewalls layer 4 port based (TCP/UDP) controls, AVC's Layer 7 controls can be easily spoofed or misinterpreted. In my experience most of the AVC signatures out there are based on the equivalent of regex strings and even worse if it is a web application it is based on just a regex pattern match within the URL request string. Sounds like what a URL filtering engine does, not what you'd expect from an application visibility engine. A URL match does not an application id make. Some AVC engines will incorrectly identity the following string as facebook just because the regex string matches, http://www.somehackersite.com/www.facebook.com/
It is time the veil of secrecy behind AVC signatures and methods is lifted across the industry. It is time for a true community driven, open source, AVC project that will strive to increase the robustness and efficacy of application identification. With so many applications already and new ones by the thousands coming regularly, the problem is bigger than any vendor and requires a global community effort. I trust that the largest open source community in security, the snort community, is game for the task!
We introduced OpenAppID in early 2014 with the goal of empowering customers and the open source community to control application usage in their network environments. Since then, we have increased our coverage from 1,000 OpenAppID detectors to more than 2,600, and have received valuable feedback from the community on ways to improve the product.
The case of having an open, application-focused detection language and processing module for Snort has attracted the attention of the Internet of Everything (IoE) world. There are countless devices out there using the Internet on their own, varying from a remote IP based camera to an industrial based sensor in which may include some security features on them.
With the combination of OpenAppID and Snort we are giving the capability to the open source community to create their own application-based protocols and classifications, which can be used to provide a better threat-centric solution on this field as well.
Using this scripting based language, someone can quickly test and understand different protocols that IoE devices can provide. It can be used to provide further analytics when it comes to a specific device’s behavior, and validate some of the protocol’s data with the rest of the connected devices. It has been used to provide multi-layer based applications for identifying different behaviors and actions of specific protocols, and has given the ability to track an application state between different traffic patterns within the same application flow or even an external one.
In addition to that, operators can use these tools to control the access of specific connected devices based on the networks they are located. For example, someone can allow a device to operate from “Network Source A” -> “Network Destination B” only when the protocol is DNP3 Read. Any other type of DNP3 operation would not be allowed between that source and destination.
Policies like that can help create an additional level of security and with the combination of the IPS capabilities of Snort, you can get the best of both worlds.
- http://facebook.com/ciscosecurity
- http://blogs.cisco.com/
- https://www.netgate.com/blog/application-detection-on-pfsense-software.html
- https://www.networkworld.com/article/2860418/security0/6-simple-tricks-for-protecting-your-passwords.html#tk.nww-infsb
- https://www.networkworld.com/article/2226547/application-awareness-goes-open-source-snort-openappid.html
- http://blog.snort.org/2014/03/openappid-install-video.html