11.11. App Control¶
You can find the App Control Settings at Firewall → App Control.
Traditional firewall rules, which only identify ports, protocols and IP addresses, cannot identify and control applications. App Control allows you to define and use Application Definitions and Signatures to define Firewall Rules that are based on Layer 7 attributes.
App Control is based on the Intrusion Detection system. The Intrusion Detection System has to be enabled in order for App Control to work. The Settings of App Control presents some of the same options as the Intrusion Detection Settings. Both change the same settings.
There are several Apps predefined in the System. You can click on Edit to show their definition in the System.
If you are missing an App or have suggestions for Apps, please write us an email. We are happy to add new Apps.
Defining new Apps can be done by adding new Apps. Since most applications are based on HTTP or HTTPS the GUI presents three predefined options. You can always use the custom option to define custom rules that are not covered by the GUI options. We refer to the Suricata Manual for this case.
Name has to be unique for the applications
Description can be a user defined string
AppType is one of HTTP, SSL/TLS (HTTPS), Web or JA3. JA3 defines a unique string of the encryption parameters of an SSL/TLS connection. The JA3 is tied to the specific encryption parameters used for a server or client. This is most useful for fixed clients where the options never change. A JA3 hash is also shown for a flow in the logfiles for each established connection. Web will create a combined HTTP and SSL/TLS field matching the Host and SNI field.
Option for HTTP, SSL/TLS or JA3 shows you different fields that can be searched for inside a connection. For TLS/SSL you can for example match against the SNI or certificate fields of the connection. After the initial connection handshake no further information can be obtained by encrypted connections.
Content for the content to match agains.
Offset in order to make the match faster an offset into the selected option field can be set. Otherwise the entire fields content is searched.
Case Insensitive by default content matches are case sensitive. The options changes that.
Data Check opens up more options for additional options to match inside data.
Is Data At checks if there are more data at the given postion.
Is Data At Negation makes the Is Data At field a NOT Is Data At field.
Is Data At Relative makes the match for Is Data At relative to the matched content in the Content field
Flow Direction can be To Server or To Client. For HTTP or SSL/TLS connections the flow is usually To Server.
Flow Established checks for an established flow. For HTTP or SSL/TLS connections the setting is usually Established.
PCRE allows for an additional regex PCRE check. It is also possible to leave the Content field empty and only use the PCRE match.
PCRE Content should have the PCRE match content, for example /voleatech.com$|voleatech.de$/i
For App Control flows are an important concept. A flow is a conenction between a server and a client that is identified by it’s attributes. This is usually the ipaddresses, the protocol and the ports.
Data about the Application can usually only be obtained when a connection is established between a client and a server. For example for SSL/TLS the TCP connection needs to go through the TCP handshake in order to obtain the certificate and SNI information.
The connection can be blocked or accepted after the initial connection creation with App Control.
This means that a Firewall Rule Firewall Rules (Forward and Input) has to be created to allow the connection to be started. App Control is executed AFTER the firewall rules.
Apps are grouped in Categories. There are default builtin categories that can be used and you have the ability to create your own categories.
Categories are groups of Apps that can be used in App Control Rules.
App Control Rules are similiar to firewall rules. You can still narrow down the match to IP Version, Protocol, Source IP, Source Port, Destination IP and Destination Port.
The difference is, that you can also add Apps and App Categories to a rule.
It is also possible to assign QoS to a matched rule.
App Rules are processed differently than normal firewall rules. The rules are processed in the following order: Pass, Reject, Drop, Match You can change the order so Pass is processed last in the settings. Therefore App Rules order can not be changed as well.
The Settings allow you to turn on and off the App Control. You can also select the interfaces that should get traffic analyzed.
The input and output interface must be enabled for internet traffic for example LAN and WAN