• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Snort 2.9.7.0 – Preview of new OpenAppID feature

pfSense Packages
15
27
17.3k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    bmeeks
    last edited by Dec 5, 2014, 4:49 PM

    @jflsakfja:

    You are making difficult even for me choosing between snort and suricata  :D

    An excellent feature, maybe this will help all the people wishing to block specific things (facebook, youtube) without any additional package.

    Sorry about that …  ;D.

    Will be posting a Suricata 2.0.4 preview thread shortly.  I'm adding GeoIP and IP Reputation support to Suricata in the 2.0.4 update.  That pull request is currently posted for review by the pfSense developers.

    Bill

    1 Reply Last reply Reply Quote 0
    • G
      G.D. Wusser Esq.
      last edited by Dec 18, 2014, 9:22 PM

      Just installed the package (upgraded from 2.9.6.2), and Snort disappeared from the Services.

      System:Package Manager still lists the snort package as installed.

      Rebooting pfSense does not help. Any ideas?

      Thank you

      1 Reply Last reply Reply Quote 0
      • A
        asterix
        last edited by Dec 18, 2014, 9:25 PM

        Same here… lost Snort selection under Services.

        Can access it with this link ... http://x.x.x.x/snort/snort_interfaces.php

        1 Reply Last reply Reply Quote 0
        • A
          asterix
          last edited by Dec 18, 2014, 9:29 PM

          OpenID detection package link comes up blank when the the option is checked.

          1 Reply Last reply Reply Quote 0
          • P
            priller
            last edited by Dec 18, 2014, 9:47 PM

            Ya, when enabling, it gives the error "You must supply a download URL in the box provided in order to enable OpenAppID detectors!"

            But, there is no box.  :(

            openapp.jpg
            openapp.jpg_thumb

            1 Reply Last reply Reply Quote 0
            • F
              foresthus
              last edited by Dec 18, 2014, 10:34 PM

              @priller:

              Ya, when enabling, it gives the error "You must supply a download URL in the box provided in order to enable OpenAppID detectors!"

              But, there is no box.  :(

              That is the same I am having on my pfsense. I guess there is a little bug, which be fixed soon.

              1 Reply Last reply Reply Quote 0
              • W
                Wolf666
                last edited by Dec 18, 2014, 10:55 PM

                I confirm the same problem, no url field comes up…..

                Modem Draytek Vigor 130
                pfSense 2.4 Supermicro A1SRi-2558 - 8GB ECC RAM - Intel S3500 SSD 80GB - M350 Case
                Switch Cisco SG350-10
                AP Netgear R7000 (Stock FW)
                HTPC Intel NUC5i3RYH
                NAS Synology DS1515+
                NAS Synology DS213+

                1 Reply Last reply Reply Quote 0
                • S
                  susamlicubuk
                  last edited by Dec 18, 2014, 11:00 PM

                  same problem (pfsense 2.2 rc x64)
                  bmeeks help :)

                  1 Reply Last reply Reply Quote 0
                  • B
                    bmeeks
                    last edited by Dec 19, 2014, 2:14 AM

                    sorry.  there was a problem with the pull request.  I will fix it, but I need a little time.  I am not at home.

                    Bill

                    1 Reply Last reply Reply Quote 0
                    • V
                      val
                      last edited by Dec 19, 2014, 2:46 AM

                      @G.D.:

                      Just installed the package (upgraded from 2.9.6.2), and Snort disappeared from the Services.

                      System:Package Manager still lists the snort package as installed.

                      Rebooting pfSense does not help. Any ideas?

                      Thank you

                      Did you stuck on the Install screen that says "Waiting for Snort to start…."? and you clicked on something else?
                      I found if you didn't let the install finishes Snort will disappear from the Service list.
                      Because there is a bit more installs process after the "Waiting for Snort to start..." message.
                      I had my search method set on AC for both WAN and LAN and it takes AGES and I mean AGES for Snort to start.

                      Hope this helps.

                      Val

                      Intel Xeon E3-1225 V2 @ 3.20Ghz
                      Intel S1200KPR server board mini-ITX
                      A-data ECC 4GB x 2 1600MHz
                      Intel Ethernet Server Adapter I350-T2
                      Samsung 840 Pro 120GB
                      Lian-Li PC-Q15B

                      1 Reply Last reply Reply Quote 0
                      • B
                        bmeeks
                        last edited by Dec 19, 2014, 12:22 PM

                        Thanks to Renato for helping me out.  A fix was posted this morning that should correct the bogus validation error when enabling the new OpenAppID download under GLOBAL SETTINGS.

                        I will post a separate release notes thread.

                        For those of you having the service disappear from the menu, make sure you have space available on /tmp and /var.  Also give Snort plenty of time to restart.  Depending on your setup, this can take a while.  You will get a confirmation message on the screen.

                        Bill

                        1 Reply Last reply Reply Quote 0
                        • S
                          snm777
                          last edited by Dec 19, 2014, 3:21 PM

                          Wow, this is great, thank you!
                          I have run into an issue writing the example rule, and I'm wondering if it is because I'm on the 64-bit version of pfsense, or perhaps I just can't type :)  Here is what I entered in the LAN custom rules:
                          alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"facebook Reddit or Twitter applicaionts"; appid: facebook facebook_apps reddit twitter twitter_link; sid:1000000; classtype:misc-activity; rev:1;)

                          When I hit save, I get this error:
                          https://www.dropbox.com/s/ux2b3bz6vypu2gz/Screenshot%202014-12-19%2010.17.58.png?dl=0

                          text is Custom rules have errors: Fatal Error, Quitting…ERROR: /usr/pbi/snort-amd64/etc/snort/snort_50141_em/rules/custom.rules(1) Rule options must be enclosed in '('and')'.

                          I have tried modifying my input to match what it suggests, but I keep getting the same error no matter what I do.  Have I missed something blindingly obvious, or is there possibly something "different" about 64-bit pfsense that might be causing this - or anything else I cna check, really.  Thanks, I'm really looking forward to using this!

                          1 Reply Last reply Reply Quote 0
                          • T
                            turker
                            last edited by Dec 19, 2014, 4:32 PM

                            Try this

                            alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Facebook Reddit or Twitter applications"; appid: facebook facebook_apps reddit twitter twitter_link; classtype:misc-activity; sid:1000000; rev:1;)
                            

                            @snm777:

                            Wow, this is great, thank you!
                            I have run into an issue writing the example rule, and I'm wondering if it is because I'm on the 64-bit version of pfsense, or perhaps I just can't type :)  Here is what I entered in the LAN custom rules:
                            alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"facebook Reddit or Twitter applicaionts"; appid: facebook facebook_apps reddit twitter twitter_link; sid:1000000; classtype:misc-activity; rev:1;)

                            When I hit save, I get this error:
                            https://www.dropbox.com/s/ux2b3bz6vypu2gz/Screenshot%202014-12-19%2010.17.58.png?dl=0

                            text is Custom rules have errors: Fatal Error, Quitting…ERROR: /usr/pbi/snort-amd64/etc/snort/snort_50141_em/rules/custom.rules(1) Rule options must be enclosed in '('and')'.

                            I have tried modifying my input to match what it suggests, but I keep getting the same error no matter what I do.  Have I missed something blindingly obvious, or is there possibly something "different" about 64-bit pfsense that might be causing this - or anything else I cna check, really.  Thanks, I'm really looking forward to using this!

                            1 Reply Last reply Reply Quote 0
                            • S
                              Supermule Banned
                              last edited by Dec 19, 2014, 5:06 PM

                              Can we have a default syntax rule somewhere in there?

                              Just so we dont have to write the darn thing from scratch knowing that I will screw it up a million times :D

                              1 Reply Last reply Reply Quote 0
                              • S
                                Supermule Banned
                                last edited by Dec 19, 2014, 5:20 PM

                                The rule for this syntax

                                alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"facebook Reddit or Twitter applications"; appid: facebook facebook_apps reddit twitter twitter_link; sid:1000000; classtype:misc-activity; rev:1;)

                                Has this effect in firefox… Facebook is not working, Reddit is not working but Twitter works like a charm.

                                So no effect on Twitter...

                                1 Reply Last reply Reply Quote 0
                                • B
                                  bmeeks
                                  last edited by Dec 19, 2014, 5:29 PM

                                  @Supermule:

                                  The rule for this syntax

                                  alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"facebook Reddit or Twitter applications"; appid: facebook facebook_apps reddit twitter twitter_link; sid:1000000; classtype:misc-activity; rev:1;)

                                  Has this effect in firefox… Facebook is not working, Reddit is not working but Twitter works like a charm.

                                  So no effect on Twitter...

                                  I had some problems with Twitter.  As I posted in the Release Notes thread a few minutes ago, this is a brand new feature to Snort everywhere (and not just pfSense).

                                  There are no absolute ironclad rules yet that I am aware of.  I posted a link in the Release Notes thread to the VRT Blog site where you can find some more info.

                                  Bill

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    Supermule Banned
                                    last edited by Dec 19, 2014, 5:33 PM

                                    But it should be so easy if PfSense had Layer 7 inspection built in??

                                    ISA Server had it and it worked like a charm.

                                    Tell it to block facebook and it did…Like Snort is doing now, but somehow much more elegant if you know what I mean.

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      Supermule Banned
                                      last edited by Dec 19, 2014, 5:40 PM

                                      http://rbgeek.wordpress.com/2012/05/29/how-to-block-facebook-in-mikrotik-using-l7-protocols-layer-7/

                                      1 Reply Last reply Reply Quote 0
                                      • B
                                        bmeeks
                                        last edited by Dec 19, 2014, 6:54 PM

                                        @Supermule:

                                        But it should be so easy if PfSense had Layer 7 inspection built in??

                                        ISA Server had it and it worked like a charm.

                                        Tell it to block facebook and it did…Like Snort is doing now, but somehow much more elegant if you know what I mean.

                                        I would expect some collections of common app rules to start appearing as this feature becomes more widespread.  Sourcefire (Cisco) just open-sourced this technology in Snort 2.9.7.0.  That's why info is currently scarce.

                                        Today it is a little awkward to use because you must write your own rules.

                                        OpenAppID uses Lua scripts for the app detection coding.  It might could be adapted into the pf L7 filter one day, but I'm not sure.

                                        Bill

                                        1 Reply Last reply Reply Quote 0
                                        • B bmeeks referenced this topic on Jun 21, 2023, 8:09 PM
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.