GUIDE: Snort's AppID custom rules Quick Guide to blocking. Example shows OpenAI ChatGPT or Itunes.

JonathanLee

Hello fellow Netgate community members,

I wanted to share something with you as you have all shared so much with me over the years.

I have found an amazing way to make AppID work for what you need quickly without all the issues.

I simply only use custom rules to block what I need.

For example I only want to detect and block ChatGPT or Itunes. This can be anything you want. As long as it is listed inside the appMapping.data file.

1. Enable AppID

(Only use OpenAppID not text rules)

2. Enable preprocessor under edit interface

(make sure both radio options are checked)

3. Wait for stats log to start populating. This log is what AppID has detected so far.

(IMAGE: LOGS)

There is no alert rules that is the major issue AppID will create stats logs all day with detections. However, if you want to make it block at a granular AppID level we must create some alert rules.
Next Example I want Itunes and ChatGPT

5. Go to the following path in edit. We are not really changing anything in this file we are just trying to find the actual text rule to cross reference with log.stats above.

Path:    /usr/local/etc/snort/appid/odp/appMapping.data

Now that you have referenced the text rule the lowercase side copy this for your custom rule.

6. Create a custom alert on rule.

(use the custom entry area mine already has some rules I have been testing)

Here is some that seem to work for my system. Notice Itunes it's sid starts at 1,000,000 this is where you want to start your custom rules so you do not interfere with Snorts rules already in place.

alert tcp any any -> any any (msg:"iTunes"; appid:itunes; sid:1000000; rev:1)
alert tcp any any -> any any (msg:"iCloud"; appid:icloud; sid:1000001; rev:1)
alert tcp any any -> any any (msg:"LinkedIn"; appid:linkedin; sid:1000002; rev:1)
alert tcp any any -> any any (msg:"ChatGPT"; appid:chatgpt; sid:1000003; rev:1)
alert tcp any any -> any any (msg:"Amazon Ad System"; appid:amazon_ad_sys; sid:1000004; rev:1)
alert tcp any any -> any any (msg:"DoubleClick"; appid:doubleclick; sid:1000005; rev:1)

7. Wait for the alerts to show up and set them to block if needed notice the sid again 1000000-5 are now being listed in my alerts tab.

Thus you can use Snort and block at an AppID granular detection level similar to a url blocker.

8. Now that your getting Snort to alarm change your custom rule from alert to drop.

drop tcp any any -> any any (msg:"DoubleClick"; appid:doubleclick; sid:1000005; rev:1)

doubleclick net is now gone forever on your network. Or if your a school and have an english class you can set it to block ChatGPT forever on specific subnets and force students to write their own papers.

I hope you enjoy my researching of AppID inside of Snort for use with Netgate's pfSense firewall software.

9. Thumbs up this post and have a good day.

michmoor

@JonathanLee Great job on documenting this and giving people another way of blocking applications on pfsense

JonathanLee

@michmoor I think inline and legacy also have differences when and if you can drop or reject items. However you can see alerts and that is a huge plus to know what is going on for items you don't want access like ChatGPT for example especially for businesses that have employees doing online training to make sure they are not using it during a paid training over employees that study take notes and do the right thing.

bmeeks

Be careful using OpenAppID with Legacy Mode Blocking. That blocking mode is an "all or nothing" proposition -- meaning each ALERT equals a block of that host (assuming the host is not covered by a Pass List entry). That can result in completely blocking a host that might have other traffic you want to pass or access. A Legacy Mode Block of a host is a total block of all traffic on all ports for that host. The mode blocks the IP address completely.

Inline IPS Mode is much better suited for OpenAppID because then you can tailor the rule actions to have granular security. You can have some rules drop (and thus block) traffic while other rules simply generate alerts in the log (but do not block the traffic). Inline IPS Mode can selectively drop particular packets while continuing to allow other packets from a host not matching an IPS rule to flow freely.

JonathanLee

@bmeeks I can not get inline to run on LAN for Netgate's official SG-2100 MAX and it needs to run inline for AppID to block.

The other mode only detects and alerts

Updated

Same Results will not work with lan

bmeeks

@JonathanLee said in GUIDE: Snort's AppID custom rules Quick Guide to blocking. Example shows OpenAI ChatGPT or Itunes.:

Same Results will not work with lan

That's because the physical NIC in that box is not supported by the FreeBSD native netmap device. These are the NICs that are supported for native mode operation:

'cc', 'cxl', 'cxgbe', 'em', 'igb', 'em', 'lem', 'ix', 'ixgbe', 'ixl', 're', 'vtnet', 'ena', 'ice', 'igc', 'bnxt', and 'vmx'

Inline IPS Mode uses the netmap device in the kernel, and that device is not supported by all NIC drivers. The move to the iflib network driver wrapper library helped expand the supported devices, but still not every NIC type is supported as not all of them have been ported to iflib.

Bob.Dig

How hard would it be to create an alert for every AppID when they are already named in the log file anyway? Just curious.

bmeeks

@Bob-Dig said in GUIDE: Snort's AppID custom rules Quick Guide to blocking. Example shows OpenAI ChatGPT or Itunes.:

How hard would it be to create an alert for every AppID when they are already named in the log file anyway? Just curious.

I don't understand exactly what you are suggesting. The code already generates an alert for every AppID when the associated text rule is triggered. AppID works just like all the other Snort rules. If you do not have a text rule for a particular app, then it won't trigger an alert.

I think folks still have a major misunderstanding about OpenAppID and how it works. It has an app detection engine written in Lua, but then uses associated text rules created by the user (or someone else) to actually inspect traffic against. In that regards it works exactly like any other rule. No rule, then no alert.

JonathanLee

@Bob-Dig

Here is, the fully converted appMapping.data to text rule file alert ... Use only what you need or if you have the memory use them all. I have a 2100-MAX so I do not have the memory for all of them.

The pfSense Snort AppID de-cipher sorcerer's code file: --> textrules.txt
The pfSense Snort AppID de-cipher sorcerer's code file with case sensitive messages: --> textrules2.txt
Sid range: 1000000 - 1003371

Total 3,371 AppID rules you can use with the custom option.

I converted it with a Java program I just made. The message is the same as the appid match it makes it easier.

Some of the ieee items are bigger but they seem to match.

(you can load the full set into custom however you will have to comb it yourself after as it will generate an app id alert for everything)

I would only use what you need or need blocked.

michmoor

@JonathanLee This is good at least to gain that extra visibility on what applications are seen so i think there is value in that.
The downside is that because these arent categorized in any way you dont have the easy button of saying 'block all social media'. Thats ultimately the way to do it. But this is for sure half the battle.
Interesting enough, Cisco OpenAppId has 5,995 so there are some missing from the list. There isnt a 1to1 relationship with whats available from Snort and whats available on Cisco's service.

JonathanLee

@michmoor I am very thankful they shared what they have with the open source community. For a small non enterprise network, or some individuals that are working from home, something like this really helps with cyber security. Thank you Cisco, Snort, and pfSense.