Cisco released OpenAppID, their answer to Palo Alto Networks’ AppID feature, which allows administrators to know exactly what applications are running in the network.
It has been released as a plugin of the Snort distribution. We have recently upgraded our sensor software to support this feature. OpenAppID results appear as an additional field in the IDS alerts to give better context for the alerts. We also gather this information to associate it with the internal host IP addresses, whether or not they generate an IDS event.
For example, when a user uses Facebook, it will trigger one or more of these:
Facebook Apps Facebook Facebook Chat Facebook Comment Facebook Read Email Facebook Send Email Facebook Status Update Facebook search Facebook event Facebook post Facebook video chat Facebook message Facebook video
If your software has been upgraded, the file /nsm/bin/snort/src/.version should contain 18.104.22.168. If it does not, you can upgrade by executing this command: /nsm/etc/mss.sh restart (Note: MetaFlows UTM appliances do not support OpenAppID yet).
To turn on this feature, check the OpenAppID checkbox in your sensor configuration page and reload or restart the sensor.
Once this feature is turned on, you can look at the daily reports and see the top AppID summary or look at the AppIDs in your IDS events. You can now create user-defined policies that match specific AppIDs!
This new feature requires 40% more memory and in some cases, even though we install it, the system automatically turns it off if you do not have enough memory. You need at least 2 GB RAM per core. For example, if your subscription is for 16 cores and your sensor has 24 GB RAM, the system would disable OpenAppID automatically.
If you do not process a lot of data and have a low memory system, you can force the loading of OpenAppID by adding the line export forceappid=1 at the top of the /nsm/etc/mss.sh script. Note that because it uses about 40% more memory, your sensor might slow down if you do not have enough RAM. Please monitor your drop rate closely if you force the OpenAppID functionality.
We highly recommend using this feature. If you have any questions, please do not hesitate to contact our engineers at email@example.com for more information.