[Oisf-users] Is there any possible Suricata could support OpenAppId?
Cooper F. Nelson
cnelson at ucsd.edu
Mon Oct 12 17:13:20 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
OpenAppId is actually a step backwards, as you can do most of this with
a web proxy (squid is free) and existing ACLs/logging. You can even see
the domains from an ssl session, which makes tagging encrypted traffic
The majority of the lua rules seem to be doing trivial matches on HTTP
headers, which I'm almost positive suricata can do more efficiently via
libhttp and the existing http rule syntax.
tl;dr If you want to block domains, urls and/or user-agents, use Squid.
P.S. I downloaded the lua scripts and had a look at them. There appear
to be five types of rules currently:
Unless I'm missing something, it appears you could easily convert the
web applications into suricata http rules. For example, using these
payload: http_host; http_uri
The ssl_host_group rules can be converted into 'tls' rules with a
trivial content match.
The 'service' rules are trickier and would probably have to be
re-written by hand, as there are lots of hex matches and ranges involved.
On 10/12/2015 4:37 AM, Andreas Herz wrote:
> But what i'm really missing (well i may have overseen it) is the real
> advantage. As far as i can see it, you could convert all the openappid
> rules to normal rules which would work then with suricata.
> Did anyone look more into openappid?
> A real gain towards NextGen Firewall would be nice, but it looks like
> openappid isn't the real gain.
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
-----END PGP SIGNATURE-----
More information about the Oisf-users