Publication Date
4-13-2026
Abstract
This paper evaluates the practical capabilities and limitations of a widely used open-source network security stack—pfSense firewall, Snort Intrusion Detection System (IDS), and OpenAppID detectors—in academic cy- bersecurity laboratories and small-to-medium enterprise (SME)-like environments. In a controlled virtual testbed, we measure application-level and feature-level identifi- cation performance for major applications (Facebook, YouTube, Zoom) using the pfSense/Snort/OpenAppID configuration. The stack achieves 97% application-level identification accuracy for these applications in our lab dataset, drawing on a library of 3,374 OpenAppID detectors. However, our experiments reveal a substan- tial feature-level detection gap: specific functions such as Zoom file transfers and Facebook messaging can- not be reliably identified or blocked despite correct application-level classification. These findings clarify the architectural limitations of signature-based inspection on encrypted traffic and pfSense plug-in deployments and provide evidence-based guidance for cybersecurity educa- tors and SME administrators when selecting tools and setting realistic expectations. We argue that achieving fine-grained, feature-specific policy control will require hybrid approaches that combine traditional signatures with advanced machine-learning-based traffic classifica- tion rather than relying on signature-based methods alone.
Included in
Information Security Commons, Management Information Systems Commons, Technology and Innovation Commons