[Oisf-users] Is there any possible Suricata could support OpenAppId?

Cooper F. Nelson cnelson at ucsd.edu
Fri Jan 30 21:26:35 UTC 2015

Hash: SHA1

Wasn't sure how they were able to see inside a SSL session to identify
apps, so I did some research.  Found the following:

> https://forum.pfsense.org/index.php?topic=84227.0

This really isn't a "NGF" style application identification.  What they
are doing is looking at the SSL cert and pulling the domain from that.
EmergingThreats already has lots of application detection rules (eg.
policy/chat rules) that already do this and suricata supports Lua, so
I'm not sure what the advantage is.

Again, if you want to restrict users access to certain domains you
should be using a web proxy.  Squid is free, works very well and will
even give your customers a useful error message vs. simply resetting the

Actual next-generation firewall products can be configured to proxy SSL
sessions and decrypt them to inspect the content.  Neither Squid or
Suricata can do this (nor do I think they should), so again I think
these sorts of applications are better served by a NGF or proxy product.

- -Coop

On 1/30/2015 1:29 AM, Liao Zhuodi wrote:
> Suricata support Lua script, and OpenAppID is actually functions in Lua like this:
> function DetectorInit(detectorInstance)
>     gDetector = detectorInstance
>     gDetector:addAppUrl(0, 0, 0, 52, 13, "msn.com", "/", "http:", "", 308)
>     return gDetector
> end
> and the best part about OpenAppID is it can generate app statics, does suricata has similar function?
> #> u2openappid /var/log/snort/appstats-u2.log.1393807981
> statTime="1393807860",appName="chrome",txBytes="6043",rxBytes="111267"
> statTime="1393807860",appName="dns",txBytes="8708",rxBytes="38103"
> OpenAppID: http://blog.snort.org/2014/03/firing-up-openappid.html
> Liao
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)


More information about the Oisf-users mailing list