Application Detection on pfSense® Software

Thanks to the Snort package and OpenAppID, pfSense is now application-aware.

This layer 7 functionality arrives through an upgraded version of the Snort package for pfSense software. Maintained by Bill Meeks, the Snort package has been available for many years and is one of our most popular packages. Thanks to his continued efforts, as well as those of Demair Ramos, OpenAppID is now part of the Snort package.

What is OpenAppID?

Introduced in 2014 by Snort author and Sourcefire founder Martin Roesch, OpenAppID is an application-focused detection language and processing module for Snort. Quoting the original blog post by Martin Roesch:

“OpenAppID puts control in the hands of users, allowing them to control application usage in their network environments and eliminating the risk that comes with waiting for vendors to issue updates. Practically speaking, we’re making it possible for people to build their own open source Next-Generation Firewalls.”

It is important to remember that OpenAppID provides application identification and not threat detection. We strongly recommend reading the entire blog post by Martin found here.

OpenAppID consists of a set of LUA libraries for detecting applications, as well as the application detectors themselves. To enable OpenAppID in the Snort package for pfSense, Bill Meeks has integrated all the necessary AppID stubs and LUA scripts to enable OpenAppID to function. However, in order to employ these signatures, it is necessary to create text rules similar to any other custom Snort rule, with the difference being the “appid” keyword in the rule. The appid keyword can be embedded in any rule to match only on traffic already identified as a specific application.

These rules reference the various application IDs provided by the VRT (Vulnerability Research Team) in your rules. In order to actually use OpenAppID you need to get the App ID stubs from VRT and then create text rules that reference the App ID’s. However, the actual application detection rules for analyzing traffic are not provided by Cisco or Snort.

This is where, once again, our community shines. A pfSense user and community member named Demair Ramos created a large collection of text rules that use the AppIDs provided by VRT. Demair even hosted the rules he created on his university’s server in Brazil, but this server has limited bandwidth, and implements geo-blocking to preserve the same. Working with Bill, Demair and our developer Renato Botelho do Couto created a new ‘mirror’ of this rulebase on our infrastructure, and Bill has changed the Snort package for pfSense to use them, and pfSense-package-snort v3.2.9.5_4 or later has the updated changes.

Using Snort and Application ID

In pfSense, OpenAppID can successfully detect, and if configured to do so, block over 2600 different services like Facebook, Netflix, Twitter, and Reddit. The package can be installed from the pfSense Package Manager and configured via the existing Snort GUI. Those familiar with snort should find the interface for working with OpenAppID detectors and rules familiar and easy to use.

We have recently updated our Snort guide for pfSense and added a brand new section covering Application ID, which can be found here.

Our plan for OpenAppID is not limited to pfSense, we intend to enable it for our upcoming advanced platforms that use Cisco’s VPP and DPDK. More on this subject in the future.

We would like to express our sincere gratitude to our contributors Bill Meeks and Demair Ramos for making pfSense application aware, as well as thank Cisco’s Martin Roesch for his vision and work enabling true NGFW functionality for pfSense software.