[Oisf-users] Is there any possible Suricata could support OpenAppId?

Andreas Herz andi at geekosphere.org
Mon Oct 12 11:37:12 UTC 2015

Little late but i looked into your request again since i also got

On 30/01/15 at 17:29, Liao Zhuodi wrote:
> Suricata support Lua script, and OpenAppID is actually functions in Lua like this:
> function DetectorInit(detectorInstance)
>     gDetector = detectorInstance
>     gDetector:addAppUrl(0, 0, 0, 52, 13, "msn.com", "/", "http:", "", 308)
>     return gDetector
> end

Well i can't see what's the big gain to normale rules which also check
for some pattern. I also compared the openappid patterns and there are
already some rules for facebook for example that match "chat".

So it looks more like another way to write rules and maybe make it more
easy to use a rule with appid: foo, bar to customize things.

But what i'm really missing (well i may have overseen it) is the real
advantage. As far as i can see it, you could convert all the openappid
rules to normal rules which would work then with suricata.

Did anyone look more into openappid?

A real gain towards NextGen Firewall would be nice, but it looks like
openappid isn't the real gain.

Andreas Herz

More information about the Oisf-users mailing list