With the introduction of OpenAppID in 2014, we have received a lot of valuable feedback on what improvements and capabilities would be great to have in our product. Since then, we have managed to increase our capabilities and our coverage has been increased from 1,000 OpenAppID detectors to 2,600 and counting.
The case of having an open, application-focused detection language and processing module for Snort has attracted the attention of the Internet of Everything (IoE) world. There are countless devices out there using the internet on their own, varying from a remote IP based camera to an industrial based sensor in which may include some security features on them.
With the combination of OpenAppID and Snort we are giving the capability to the open source community to create their own application-based protocols and classifications, which can be used to provide a better threat-centric solution on this field as well.
Using this scripting based language, someone can quickly test and understand different protocols that IoE devices can provide. It can be used to provide further analytics when it comes to a specific device's behavior, and validate some of the protocol's data with the rest of the IoEs. It has been used to provide multi-layer based applications for identifying different behaviors and actions of specific protocols, and has given the ability to track an application state between different traffic patterns within the same application flow or even an external one.
In addition to that, operators can use these tools to control the access of specific IoEs based on the networks they are located. For example, someone can allow a device to operate from "Network Source A" -> "Network Destination B" only when the protocol is DNP3 Read. Any other type of DNP3 operation would not be allowed between that source and destination.
Policies like that can help create an additional level of security and with the combination of the IPS capabilities of snort, you can get the best of both worlds.
For more information, check out OpenAppID and our open source detectors at http://www.snort.org