OpenAppID Support

 

2000px-Cisco_logo.svg

Cisco released OpenAppID, their answer to Palo Alto Networks’ AppID feature, which allows administrators to know exactly what applications are running in the network.
It has been released as a plugin of the Snort distribution. We have recently upgraded our sensor software to support this feature. OpenAppID results appear as an additional field in the IDS alerts to give better context for the alerts. We also gather this information to associate it with the internal host IP addresses, whether or not they generate an IDS event.

For example, when a user uses Facebook, it will trigger one or more of these:

Facebook Apps
Facebook
Facebook Chat
Facebook Comment
Facebook Read Email
Facebook Send Email
Facebook Status Update
Facebook search
Facebook event
Facebook post
Facebook video chat
Facebook message
Facebook video

If your software has been upgraded, the file /nsm/bin/snort/src/.version should contain 2.7.9.0. If it does not, you can upgrade by executing this command: /nsm/etc/mss.sh restart (Note: MetaFlows UTM appliances do not support OpenAppID yet).

To turn on this feature, check the OpenAppID checkbox in your sensor configuration page and reload or restart the sensor.

Once this feature is turned on, you can look at the daily reports and see the top AppID summary or look at the AppIDs in your IDS events. You can now create user-defined policies that match specific AppIDs!

This new feature requires 40% more memory and in some cases, even though we install it, the system automatically turns it off if you do not have enough memory. You need at least 2 GB RAM per core. For example, if your subscription is for 16 cores and your sensor has 24 GB RAM, the system would disable OpenAppID automatically.

If you do not process a lot of data and have a low memory system, you can force the loading of OpenAppID by adding the line export forceappid=1 at the top of the /nsm/etc/mss.sh script. Note that because it uses about 40% more memory, your sensor might slow down if you do not have enough RAM. Please monitor your drop rate closely if you force the OpenAppID functionality.

We highly recommend using this feature. If you have any questions, please do not hesitate to contact our engineers at support@metaflows.com for more information.

Leave a Reply

Your email address will not be published. Required fields are marked *