[Oisf-users] Is there any possible Suricata could support OpenAppId?

Andreas Herz andi at geekosphere.org
Tue Oct 13 07:24:55 UTC 2015

On 12/10/15 at 10:13, Cooper F. Nelson wrote:
> The majority of the lua rules seem to be doing trivial matches on HTTP
> headers, which I'm almost positive suricata can do more efficiently via
> libhttp and the existing http rule syntax.

Great to see that i'm not the only one seeing this :)

> tl;dr If you want to block domains, urls and/or user-agents, use Squid.

Besides using Squid there is no gain in using openappid, blocking
domains can be achieved on several places quite easy.

> Unless I'm missing something, it appears you could easily convert the
> web applications into suricata http rules.  For example, using these
> keywords:
> client:		http_user_agent
> content_group:	http_header
> payload:	http_host; http_uri

And this is why i'm wondering why they even introduced openappid
instead of using the existent decoder etc.
Since it's not that special or difficult (besides some edge cases

> The 'service' rules are trickier and would probably have to be
> re-written by hand, as there are lots of hex matches and ranges involved.

But still something that is technically possible with suricata (and

So it looks more sane to write a converter then to implement the
"decoding" part, i guess.

Andreas Herz

More information about the Oisf-users mailing list