Application Signatures
Application Signatures
- OpenS ource vs Commercial Signatures
- Access and License to Use
- Continuous Updates
- Determining which Signature List is in Use
- Applications
- Classifier Types in Application Signatures
- Next Steps
Open Source vs Commercial Signatures
Netify's open-source signature list includes 200 application definitions, offering a transparent and collaborative approach for flow classification and cybersecurity directed toward enthusiasts and developers. It provides a solid foundation for understanding the bulk traffic traversing a network.
On the other hand, Netify's commercial application signature list goes even further with over 1600 applications, making it a robust choice for businesses and enterprises and OEM/edge gateway partners. This extensive list excels in detecting a wide range of threats and is designed to evolve with emerging cybersecurity challenges. Together, these offerings cater to both community-driven initiatives and the sophisticated needs of organizations seeking reliable DPI and classification solutions.
Access and License to Use
Anyone is permitted to use the Open Source application signature list. The signature list is packaged with all versions of the Netify agent and can be found in /etc/netifyd/netify-apps.conf.
The commercial application list is provided to any current Netify Informatics or Netify Data Feeds service subscriber.
In-Agent Updates
To access in-agent updates, check the main Netify configuration file, /etc/netifyd.conf. The API must be set to yes.
[netify-api]
# Enable/disable integration with Netify Informatics
enable = yesAPI
This method is restricted to Netify clients who have been issued a Netify API Vendor key. Documentation to pull application signature updates from the Netify API can be found here.
sudo systemctl reload netifydContinuous Updates
The application signature list is continuously being updated. It is recommended to check for updates as frequently as every day and at least every month.
Determining which Signature List is in Use
If you are unsure of which application signature list your Netify agent is using, there are a number of ways.
Signature File Header
Use the head command to display the header present at the top of the signature file:
head -15 /usr/share/netifyd/netify-apps.conf
# Netify Application Signatures
#
# Copyright 2024 eGloo Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.If you see reference to the Apache Version 2.0 License, you are using the Open Source Application Signature list. If you see references to proprietary licensing that does not permit the right to redistribute, you are using the commercial Application Signature list.
Netify Status Output
As a privileged user, run:
netifyd -s
Netify Agent/5.0.56-HEAD-2616-4bc869c2 (debian; linux-gnu; x86_64; conntrack; netlink; dns-cache; tpv3; tcmalloc; regex)
✓ agent is running: PID 18154
• agent timestamp: Thu Oct 24 12:23:33 2024
...
• apps: 199, domains: 3374, networks: 783, soft-dissectors: 26, transforms: 0Look for a line listing the apps, domains, networks and other counters. If this output indicates less than 200 applications present (ex. apps: 199), this is an indication that you are using the Open Source Application list.
Application
Application signature list contains a list of all applications Netify is tracking. If you are using the Open Source version, it will contain exactly 200 of the top applications we see, by usage. For the commercial list, you will see a much larger list - over 2100 at the time of writing.
One way to get a view of the applications Netify is using is to run:
netifyd --dump-apps
Alternatively, the source of this export is in the Application Signatures file, located in /etc/netifyd/ called netify-apps.conf. The list is prefixed with app. Example:
app:11236:netify.apple-cdn
app:11892:netify.bingbot
app:12041:netify.bytedance-cdn
...Classifier Types in Application Signatures
Application signatures in Netify use classifiers to define how traffic should be matched and attributed. These classifiers enable flexible and precise detection based on multiple attributes. Below are the primary types:
dom - Domain Classifier
This classifier matches on fully qualified domain names (FQDNs). It supports exact domains, wildcards, and suffix-based matching. Example:
dom:10462:volvo.com.edgekey.net
Behavior: Matches DNS queries and TLS SNI for volvo.com.edgekey.net and subdomains with Volvo (application ID 10462).
net - Network/CIDR Classifier
Matches based on IP addresses or CIDR blocks. Useful for services with static IP allocations or private infrastructure. Example:
net:141:208.253.254.0/24Behavior: Matches any traffic with source or destination IPs in the specified network (208.253.254.0/24) with Webex (application ID 141).
nsd - Netify Soft Dissector
Applies protocol-level signatures using internal soft-dissector logic. It allows matching based on heuristics, patterns, or DPI-based rules. The format is application override:protocol override:Base64 signature. Example:
nsd:-1:39:YXBwID09ICduZXRpZnkuc2lnbmFsJyAmJiBwcm90b2NvbF9pZCA9PSA3ODs=Behavior: Invokes built-in protocol detection. Application of a matching flow will no be overridden (-1), but the protocol will be classified to SignalCall (protocol ID 39).
aio - Application IP Override
The aio classifier allows associating static IPs with an application signature, bypassing normal detection heuristics. This is useful for edge cases of undermatched classifications (ex. Meta vs WhatsApp). AIO types are optional, with each IP addresses requiring approximately 521 bytes of memory. Example:
aio:142:31.13.73.53/32Behavior: Forces traffic from the specified IP(s) to match the defined application WhatsApp (application ID 142), regardless of domain or other classifiers.