[Oisf-users] Is there any possible Suricata could support OpenAppId?

Cooper F. Nelson cnelson at ucsd.edu
Mon Oct 12 17:13:20 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OpenAppId is actually a step backwards, as you can do most of this with
a web proxy (squid is free) and existing ACLs/logging.  You can even see
the domains from an ssl session, which makes tagging encrypted traffic
easier.

The majority of the lua rules seem to be doing trivial matches on HTTP
headers, which I'm almost positive suricata can do more efficiently via
libhttp and the existing http rule syntax.

tl;dr If you want to block domains, urls and/or user-agents, use Squid.

- -Coop

P.S.  I downloaded the lua scripts and had a look at them.  There appear
to be five types of rules currently:

client
content_group
payload
service
ssl_host_group

Unless I'm missing something, it appears you could easily convert the
web applications into suricata http rules.  For example, using these
keywords:

client:		http_user_agent
content_group:	http_header
payload:	http_host; http_uri

The ssl_host_group rules can be converted into 'tls' rules with a
trivial content match.

The 'service' rules are trickier and would probably have to be
re-written by hand, as there are lots of hex matches and ranges involved.


On 10/12/2015 4:37 AM, Andreas Herz wrote:
> But what i'm really missing (well i may have overseen it) is the real
> advantage. As far as i can see it, you could convert all the openappid
> rules to normal rules which would work then with suricata.
> 
> Did anyone look more into openappid?
> 
> A real gain towards NextGen Firewall would be nice, but it looks like
> openappid isn't the real gain.


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJWG+owAAoJEKIFRYQsa8FWAwoH/0yHYr0apMTMjWvVtGITZER0
khiKllW6R+z8rBCfMVB/SeEaAitlsWi4i9U8AWY/M+zrQeQWwcR9FGW/v6E4QS2A
TWbbxB16XcFkLbiR1lV64RYX5KXe3oWPQJh8sFyHV0rq2U6uxDC6akRxnftG7ZMu
TJcpEqQZ5tharzWjOK9fPCBvPARqtij7cZxKWUmjgO2UwsFu2SoHAPKeP1u0v05B
xG/iGtCd/KILJmIwI7rwgM4252ihhzIOqYsV7MXNwzcc5RvzsiUl1TBHTwlPtx49
kX8QEyFy4CpBtKlHeJrkMSnDFsysqu37N3ezrQ56z0Nl+zDbMeE//ZhgE/qRjWY=
=gi5E
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list