App Control ================== You can find the App Control Settings at **Firewall → App Control**. Traditional firewall rules, which only identify ports, protocols and IP addresses, cannot identify and control applications. App Control allows you to define and use Application Definitions and Signatures to define Firewall Rules that are based on Layer 7 attributes. App Control is based on the Intrusion Detection system. The Intrusion Detection System has to be enabled in order for App Control to work. The Settings of App Control presents some of the same options as the Intrusion Detection Settings. Both change the same settings. Apps ********************** There are several Apps predefined in the System. You can click on *Edit* to show their definition in the System. .. note:: If you are missing an App or have suggestions for Apps, please write us an email. We are happy to add new Apps. .. image:: img/AppControl-Apps.png :width: 100% :align: center :alt: App Control Apps Defining new Apps can be done by adding new Apps. Since most applications are based on HTTP or HTTPS the GUI presents three predefined options. You can always use the custom option to define custom rules that are not covered by the GUI options. We refer to the `Suricata Manual `_ for this case. .. image:: img/AppControl-AppDefinition.png :width: 100% :align: center :alt: App Control App Defintion **Name** has to be unique for the applications **Description** can be a user defined string **AppType** is one of HTTP, SSL/TLS (HTTPS), Web or JA3. *JA3* defines a unique string of the encryption parameters of an SSL/TLS connection. The JA3 is tied to the specific encryption parameters used for a server or client. This is most useful for fixed clients where the options never change. A JA3 hash is also shown for a *flow* in the logfiles for each established connection. *Web* will create a combined HTTP and SSL/TLS field matching the Host and SNI field. **Option** for HTTP, SSL/TLS or JA3 shows you different fields that can be searched for inside a connection. For TLS/SSL you can for example match against the SNI or certificate fields of the connection. After the initial connection handshake no further information can be obtained by encrypted connections. **Content** for the content to match agains. **Offset** in order to make the match faster an offset into the selected option field can be set. Otherwise the entire fields content is searched. **Case Insensitive** by default content matches are case sensitive. The options changes that. **Data Check** opens up more options for additional options to match inside data. **Is Data At** checks if there are more data at the given postion. **Is Data At Negation** makes the *Is Data At* field a NOT *Is Data At* field. **Is Data At Relative** makes the match for *Is Data At* relative to the matched content in the *Content* field **Flow Direction** can be *To Server* or *To Client*. For HTTP or SSL/TLS connections the flow is usually *To Server*. **Flow Established** checks for an established flow. For HTTP or SSL/TLS connections the setting is usually *Established*. **PCRE** allows for an additional regex PCRE check. It is also possible to leave the *Content* field empty and only use the *PCRE* match. **PCRE Content** should have the *PCRE* match content, for example /voleatech.com$|voleatech.de$/i Flows +++++++++++++ For App Control flows are an important concept. A flow is a conenction between a server and a client that is identified by it's attributes. This is usually the ipaddresses, the protocol and the ports. Data about the *Application* can usually only be obtained when a connection is established between a client and a server. For example for SSL/TLS the TCP connection needs to go through the TCP handshake in order to obtain the certificate and SNI information. The connection can be blocked or accepted after the initial connection creation with *App Control*. .. warning:: This means that a Firewall Rule :ref:`Firewall Rules (Forward and Input)` has to be created to allow the connection to be started. App Control is executed **AFTER** the firewall rules. Categories ********************** Apps are grouped in Categories. There are default builtin categories that can be used and you have the ability to create your own categories. Categories are groups of Apps that can be used in App Control Rules. .. image:: img/AppControl-Category.png :width: 100% :align: center :alt: App Control Category .. image:: img/AppControl-CategoryEdit.png :width: 100% :align: center :alt: App Control Category Edit Rules ********************** App Control Rules are similiar to firewall rules. You can still narrow down the match to *IP Version*, *Protocol*, *Source IP*, *Source Port*, *Destination IP* and *Destination Port*. The difference is, that you can also add **Apps** and **App Categories** to a rule. It is also possible to assign *QoS* to a matched rule. .. note:: App Rules are processed differently than normal firewall rules. The rules are processed in the following order: Pass, Reject, Drop, Match You can change the order so Pass is processed last in the settings. Therefore App Rules order can not be changed as well. .. image:: img/AppControl-Rule1.png :width: 100% :align: center :alt: App Control Rule .. image:: img/AppControl-Rule2.png :width: 100% :align: center :alt: App Control Rule .. image:: img/AppControl-Rule3.png :width: 100% :align: center :alt: App Control Rule .. image:: img/AppControl-Rule4.png :width: 100% :align: center :alt: App Control Rule Settings ********************** The Settings allow you to turn on and off the App Control. You can also select the interfaces that should get traffic analyzed. .. note:: The input and output interface must be enabled for internet traffic for example LAN and WAN .. image:: img/AppControl-Settings.png :width: 100% :align: center :alt: App Control Settings