Cisco Subnet An independent Cisco community View more

Application Awareness goes open source: Snort OpenAppID

Cisco Sourcefire recently announced that their Snort open source IDS/IPS 2.9.7 will now support free application visibility and control, called OpenAppID.  It will be fully integrated into the current Snort framework and offers a new application preprocessor and keyword 'appid' that can be used in any Snort rule.  OpenAppID will launch with detection for over 1400+ applications, providing Snort admins with much needed awareness of the applications on their networks.  The Snort application information can also be sent to 3rd party analytics or SIEM tools.  

SNORT

The defacto industry standard rule language for IDS/IPS has been Sourcefire's Snort open source technology.  So this OpenAppId release begs the question; can Snort do it again in the application visibility and control space?  Will Snort become the standard for application detection signatures?Application awareness has been largely dominated by the NGFW (next-generation firewall) market so far and is one of the major factors that market has sky rocketed.  You couldn't swing a stick at the latest RSA conference without hitting a vendor with a NGFW offering to tell you about.  So what happens now that the largest open source security project has now begun to offer a for free AVC solution to the market?  Will the Snort community rush to adopt the OpenAppID features released in Snort version 2.9.7?  If we look at the history of the Snort community it is very likely that they will.  If they do, will the NGFW and NGIPS markets follow their customers and implement support for OpenAppID as well?  Could be a game changer for the viability of AVC as a security tool.

Why do we need a defacto standard for AVC?  Because today customers don't know, aren't allowed to view, what makes up the AVC signatures found in their NGFW or NGIPS devices.  You just have to trust that they are well written and not easily subverted or hijacked.  In some cases, the NGFW industry is telling you that AVC is the cornerstone achievement of the next level of firewall-like protections.  And that understanding the application, at layer 7, is required to adequately  lock down your network security.  But at the same time the exact methods, signatures and techniques being used to correctly identify these applications is hidden from the administrator/customer.  That means that the customer is working on good faith that the vendor has done a good job with app visibility.  Never a good position to be in.  Hopefully OpenAppID will lift the curtain of AVC secrecy and force all AVC vendors to disclose their signatures and methods.  Snort already did that for IDS/IPS and I hope it will do it again for AVC.  Now that the industry has an open source community formed to create, share and evaluate application detection signatures and methods, administrators will have knowledge they need to be able to determine the true robustness and security usefulness of this technology.  

Many are under the impression that the underlying technology behind AVC is complex and robust enough to accurately both identify applications correctly and prevent things like application masquerading by malware to avoid detection and slip through your application based security policy.  Unlike a traditional firewalls layer 4 port based (TCP/UDP) controls, AVC's Layer 7 controls can be easily spoofed or misinterpreted.  In my experience most of the AVC signatures out there are based on the equivalent of regex strings and even worse if it is a web application it is based on just a regex pattern match within the URL request string.  Sounds like what a URL filtering engine does, not what you'd expect from an application visibility engine.  A URL match does not an application id make.  Some AVC engines will incorrectly identity the following string as facebook just because the regex string matches, http://www.somehackersite.com/www.facebook.com/ 

It is time the veil of secrecy behind AVC signatures and methods is lifted across the industry.  It is time for a true community driven, open source, AVC project that will strive to increase the robustness and efficacy of application identification.   With so many applications already and new ones by the thousands coming regularly, the problem is bigger than any vendor and requires a global community effort.  I trust that the largest open source community in security, the snort community,  is game for the task!  

So what application ID are you going to create or improve on first?

To learn more or to download and install Snort OpenAppID yourself go here:

www.snort.org 

Good video on setup instructions

http://blog.snort.org/2014/03/openappid-install-video.html

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer. 

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies