GUIDE: Snort's AppID custom rules Quick Guide to blocking. Example shows OpenAI ChatGPT or Itunes.

michmoor

@JonathanLee Great job on documenting this and giving people another way of blocking applications on pfsense

JonathanLee

@michmoor I think inline and legacy also have differences when and if you can drop or reject items. However you can see alerts and that is a huge plus to know what is going on for items you don't want access like ChatGPT for example especially for businesses that have employees doing online training to make sure they are not using it during a paid training over employees that study take notes and do the right thing.

Screenshot 2023-10-04 at 9.43.32 AM.png

bmeeks

Be careful using OpenAppID with Legacy Mode Blocking. That blocking mode is an "all or nothing" proposition -- meaning each ALERT equals a block of that host (assuming the host is not covered by a Pass List entry). That can result in completely blocking a host that might have other traffic you want to pass or access. A Legacy Mode Block of a host is a total block of all traffic on all ports for that host. The mode blocks the IP address completely.

Inline IPS Mode is much better suited for OpenAppID because then you can tailor the rule actions to have granular security. You can have some rules drop (and thus block) traffic while other rules simply generate alerts in the log (but do not block the traffic). Inline IPS Mode can selectively drop particular packets while continuing to allow other packets from a host not matching an IPS rule to flow freely.

JonathanLee

@bmeeks I can not get inline to run on LAN for Netgate's official SG-2100 MAX and it needs to run inline for AppID to block.

Screenshot 2023-10-04 at 6.17.03 PM.png

The other mode only detects and alerts

Screenshot 2023-10-04 at 6.36.31 PM.png

Updated

Screenshot 2023-10-04 at 6.34.52 PM.png

Same Results will not work with lan

bmeeks

@JonathanLee said in GUIDE: Snort's AppID custom rules Quick Guide to blocking. Example shows OpenAI ChatGPT or Itunes.:

Same Results will not work with lan

That's because the physical NIC in that box is not supported by the FreeBSD native netmap device. These are the NICs that are supported for native mode operation:

'cc', 'cxl', 'cxgbe', 'em', 'igb', 'em', 'lem', 'ix', 'ixgbe', 'ixl', 're', 'vtnet', 'ena', 'ice', 'igc', 'bnxt', and 'vmx'

Inline IPS Mode uses the netmap device in the kernel, and that device is not supported by all NIC drivers. The move to the iflib network driver wrapper library helped expand the supported devices, but still not every NIC type is supported as not all of them have been ported to iflib.

Bob.Dig

How hard would it be to create an alert for every AppID when they are already named in the log file anyway? Just curious.

bmeeks

@Bob-Dig said in GUIDE: Snort's AppID custom rules Quick Guide to blocking. Example shows OpenAI ChatGPT or Itunes.:

How hard would it be to create an alert for every AppID when they are already named in the log file anyway? Just curious.

I don't understand exactly what you are suggesting. The code already generates an alert for every AppID when the associated text rule is triggered. AppID works just like all the other Snort rules. If you do not have a text rule for a particular app, then it won't trigger an alert.

I think folks still have a major misunderstanding about OpenAppID and how it works. It has an app detection engine written in Lua, but then uses associated text rules created by the user (or someone else) to actually inspect traffic against. In that regards it works exactly like any other rule. No rule, then no alert.

JonathanLee

@Bob-Dig

Here is, the fully converted appMapping.data to text rule file alert ... Use only what you need or if you have the memory use them all. I have a 2100-MAX so I do not have the memory for all of them.

Screenshot 2023-10-04 at 5.58.46 PM.jpg

The pfSense Snort AppID de-cipher sorcerer's code file: --> textrules.txt
The pfSense Snort AppID de-cipher sorcerer's code file with case sensitive messages: --> textrules2.txt
Sid range: 1000000 - 1003371

Total 3,371 AppID rules you can use with the custom option.

I converted it with a Java program I just made. The message is the same as the appid match it makes it easier.

Some of the ieee items are bigger but they seem to match.

Screenshot 2023-10-05 at 5.06.47 PM.png
(you can load the full set into custom however you will have to comb it yourself after as it will generate an app id alert for everything)

I would only use what you need or need blocked.

michmoor

@JonathanLee This is good at least to gain that extra visibility on what applications are seen so i think there is value in that.
The downside is that because these arent categorized in any way you dont have the easy button of saying 'block all social media'. Thats ultimately the way to do it. But this is for sure half the battle.
Interesting enough, Cisco OpenAppId has 5,995 so there are some missing from the list. There isnt a 1to1 relationship with whats available from Snort and whats available on Cisco's service.

JonathanLee

@michmoor I am very thankful they shared what they have with the open source community. For a small non enterprise network, or some individuals that are working from home, something like this really helps with cyber security. Thank you Cisco, Snort, and pfSense.