(Optional) Configure Decoder to Support OpenAppID

The NetWitness Decoder can identify applications using the OpenAppID detectors. OpenAppID from Cisco is an application-layer network security plug-in for Snort (an open source network intrusion detection system). It is a set of open source Lua libraries (detectors) that identifies applications in the network traffic.

When Network Decoder detects an application with an OpenAppID detector, the appid meta is created. The value of the appid meta helps in identifying the application as it is the application's entry in the appMapping.data file. The appMapping.data file is part of the OpenAppID distribution and contains metadata of the application detectors.

Note: By default, all detectors are disabled to avoid any negative impact on the performance.

To configure the OpenAppID detectors:

IMPORTANT: Ensure that you enable only the required OpenAppID detectors. Enabling all the OpenAppID detectors can reduce the performance. Before you enable any detector, understand your application detection requirements and enable only the specific detectors. For example, enabling the service_* detector or any other detector that attempts to match short generic patterns can cause severe impact on the performance.

  1. Download the OpenAppID source package (snort-openappid.tar.gz) from the Snort Downloads (https://www.snort.org/downloads) page.
  2. Upload the OpenAppID source package to the network decoder (http://<networkdecoder>:50104/decoder/parsers/upload), which can be accessed using the REST interface.
    Once uploaded, decoder will extract the package to an appropriate folder. The default folder is /etc/netwitness/ng/odp.
  3. To enable detectors, modify the /decoder/parsers/config/openappid.enabled file with a combination of detector filenames or wildcards, separated by commas. For example, client_*, payload_slashdot.lua, payload_reddit.lua.
    The following table describes the detector group filenames and their functions. You can extract the complete set of detectors from the OpenAppID source package (snort-openappid.tar.gz) or it can be viewed on the Decoder file system at /etc/netwitness/ng/odp/lua.
    Detector Group FilenameDescription
    client_*Detectors for client applications (for example, Facebook, MacAppStore).
    content_group*Detectors for a specific type of network attribute such as protocol, port, or service (for example, port_services which contains many services identified by their common ports).
    payload_*Detectors for the host based traffic (for example, Hulu, Reddit).
    service_*Detectors for service applications (for example, Minecraft, VNC).
    ssl_host_group_*Detectors for SSL hosts logically grouped together (for example, 334 which contains many ecommerce websites).
  4. Ensure that you specify the detector filenames correctly. If you specify an incorrect filename, the detector will not load. The following table lists some good and bad file naming conventions and their status on subsequent loading.
    Detector Group FilenameStatus
    client_9P.lualoaded
    client_9p.luanot loaded (Linux only)
    client_9Pnot loaded
    client_9P*loaded
    client_9P.*loaded
    lient_9P.luanot loaded

    lient_9P.*

    not loaded

    *lient_9P.lualoaded
  5. Once the required detectors are enabled, reload the parser to load the detectors. The following example message will confirm that the detectors and enabled successfully.
    2020-May-14 17:03:37 [OpenAppID] 59 detectors loaded out of 59