@enesas said in Snort Application and site blocking Problem!:
@bmeeks I reviewed what you said. However, I couldn't quite figure it out.
For example, is there an example list of blocked drops for Youtube or another site? Also, when you add this list to SID MGMT, will it work directly, is a different setting required?When the communication problem due to language is added, it becomes a little difficult to understand.
I'm sorry for making you tired.
An IPS Policy is a pre-defined collection of rules designed to provide a given base level of security. There are four defined policies, but only three of them are useful in a production setup. The fourth policy (max-detect) is an extreme security policy designed primarily for testing only. It will block all manner of likely desired traffic.
Here are the three IPS Policies (ordered by increasing protection):
IPS Policy Connectivity IPS Policy Balanced IPS Policy SecurityThese are created by the Snort rule authors (also known as the Snort Vulnerability Research Team, or VRT). The policies exist via metadata tags included within each Snort text rule (but excluding OpenAppID; those rules are NOT part of any IPS Policy directly). When creating rules, the Snort VRT will tag each rule with one or more IPS Policy tags. That allows an automated rule selection algorithm to pick the rules tagged with a chosen policy tag.
For IDS beginners, it is best to start with the IPS Policy Connectivity policy as that one provides reasonable protection from common threats without generating too many false positives. I strongly recommend you never go higher than IPS Policy Balanced unless you are protecting military secrets or something. The "Security" policy will block a ton of desirable stuff -- meaning lots of "normal" network traffic will get blocked and cause you headaches and frustration.
However, if new to an IDS/IPS, you should start with NO blocking enabled. Choose rules but do NOT enable blocking at first. You need to let your choice of rules run in your network environment for several days or even weeks. Check the ALERTS tab often in Snort to see what alerts have triggered. Research them and determine if they might actually be false positives in your network. That is highly likely these days due to the way modern web sites work to serve adds and due to the encryption of lots of other traffic. For false-positive triggering rules, you should probably disable them.
Now lets talk about OpenAppID. For that to work you must have two different kinds of rules downloaded (or else custom created by you, the admin). One requirement is the OpenAppID rule stubs that come from the Snort VRT. That set of stubs defines the applications that Snort OpenAppID can detect and gives Snort the internal "how-to" instructions for detection. The other required piece of OpenAppID is a set of text rules that leverage those detector stubs to actually scan traffic and produce alerts. This latter set of text rules tells Snort which applications you want to look for. You must either write these text rules yourself, or you can take advantage of a starter-set of OpenAppID text rules created by a group at a University in Brazil. You can enable the download of these starter rules on the GLOBAL SETTINGS tab of Snort where you enable the download of the OpenAppID stub rules. Then on the CATEGORIES tab you can enable one or more categories of OpenAppID rules. But be aware these categories were created by a team of volunteers (University students, actually), so they may not be complete. Additionally, they have not been updated in several years. Thus many more modern applications are missing detection rules and thus won't be detected by Snort using these OpenAppID starter rules. So for any missing applications in the starter rules package, you would need to create your own Custom Rules containing the necessary syntax. You can find out more about writing OpenAppID rules here:
https://blog.snort.org/2014/04/openappid-application-rules.html
You can search on Google for other OpenAppID tutorials. Be aware that most of the recent effort with OpenAppID has been targeted for Snort3 and not legacy Snort as used on pfSense. The pfSense package is based on Snort 2.9.x and is NOT compatible with Snort3 rules! Do not attempt to use any Snort3 rules on pfSense. Doing so will totally break the Snort package on pfSense.