Avatar

We introduced OpenAppID in early 2014 with the goal of empowering customers and the open source community to control application usage in their network environments. Since then, we have increased our coverage from 1,000 OpenAppID detectors to more than 2,600, and have received valuable feedback from the community on ways to improve the product.

The case of having an open, application-focused detection language and processing module for Snort has attracted the attention of the Internet of Everything (IoE) world. There are countless devices out there using the Internet on their own, varying from a remote IP based camera to an industrial based sensor in which may include some security features on them.

With the combination of OpenAppID and Snort we are giving the capability to the open source community to create their own application-based protocols and classifications, which can be used to provide a better threat-centric solution on this field as well.

Using this scripting based language, someone can quickly test and understand different protocols that IoE devices can provide. It can be used to provide further analytics when it comes to a specific device’s behavior, and validate some of the protocol’s data with the rest of the connected devices. It has been used to provide multi-layer based applications for identifying different behaviors and actions of specific protocols, and has given the ability to track an application state between different traffic patterns within the same application flow or even an external one.

In addition to that, operators can use these tools to control the access of specific connected devices based on the networks they are located. For example, someone can allow a device to operate from “Network Source A” -> “Network Destination B” only when the protocol is DNP3 Read. Any other type of DNP3 operation would not be allowed between that source and destination.

Policies like that can help create an additional level of security and with the combination of the IPS capabilities of Snort, you can get the best of both worlds.

For more information, check out OpenAppID and our open source detectors at http://www.snort.org.

 



Authors

Costas Kleopa

Manager, Cisco Security Business Group