[WORK] snort: blocking layer 7 protocols - custom rule for block openvpn



  • Hi.

    I have enable OpenAppID at snort on pfSense 2.3.2_1.

    I did a custom rule for block openVPN:

    alert udp any any -> any any (msg: "OpenVPN"; classtype:attempted-recon; appid: openvpn ; sid:9000001; rev:1;)
    

    Is right sintaxt/format for this rule?

    In my log I see:

    Nov 3 16:58:28 	snort 	32611 	AppInfo: AppId 4110 is UNKNOWN
    Nov 3 16:58:28 	snort 	32611 	Invalid direct service AppId, 4110, for 0x80a492500 0x819ade3c0
    Nov 3 16:58:28 	snort 	32611 	AppInfo: AppId 4043 is UNKNOWN
    Nov 3 16:58:28 	snort 	32611 	AppInfo: AppId 4109 is UNKNOWN
    Nov 3 16:58:28 	snort 	32611 	AppInfo: AppId 4115 is UNKNOWN 
    

    Regards



  • Hi.

    :)

    All right, now work fine to me:

    I did it:

    -    Services > Snort > Global Settings > Sourcefire OpenAppID Detectors

    -    Services > Snort > Preprocessors and Flow > LAN > Application ID Detection

    The snort custom rules in LAN:

    alert tcp any any -> any any (msg:"Facebook1"; appid: facebook; sid: 9000101; classtype:misc-activity; rev:1;)
    alert udp any any -> any any (msg:"OpenVPN"; appid: openvpn;sid: 9000103; classtype:misc-activity; rev:1;)
    alert tcp any any -> any any (msg:"Facebook2"; appid: facebook_apps;sid: 9000105; classtype:misc-activity; rev:1;)
    alert tcp any any -> any any (msg:"Facebook3"; appid: facebook_like;sid: 9000107; classtype:misc-activity; rev:1;)
    alert tcp any any -> any any (msg:"Twitter1"; appid: twitter;sid: 9000109; classtype:misc-activity; rev:1;)
    
    • restart Snort service

    And now my pfSense drop OpenVPN traffic at lan side (and facebook and twitter)

    Regards



  • Hi.

    At my LAN, I only detect traffic with openVPN over UDP.

    But for block via snort & OpenAppID, the custom rule openVPN over TCP & UDP:

    alert udp any any -> any any (msg:"OpenVPN"; appid: openvpn;sid: 9000201; classtype:misc-activity; rev:1;)
    alert tcp any any -> any any (msg:"OpenVPN"; appid: openvpn;sid: 9000202; classtype:misc-activity; rev:1;)
    

    Regards



  • Hi

    There are too many factors in a snort / pfsense configuration to know what fails without knowing the whole configuration.

    Do you have the lan interface configured in snort?

    Regards.





  • Hi.

    This alerts are not real problem, do not worry.

    Time                         Process	PID	        Message
    Dec 14 16:02:30	kernel                      re1: promiscuous mode enabled
    Dec 14 16:02:26	snort	91336	AppInfo: AppId 4110 is UNKNOWN
    Dec 14 16:02:26	snort	91336	Invalid direct service AppId, 4110, for 0x80a2ab500 0x819d303c0
    Dec 14 16:02:26	snort	91336	AppInfo: AppId 4043 is UNKNOWN
    Dec 14 16:02:26	snort	91336	AppInfo: AppId 4109 is UNKNOWN
    Dec 14 16:02:26	snort	91336	AppInfo: AppId 4115 is UNKNOWN
    Dec 14 16:02:25	php-fpm	85745	/snort/snort_interfaces.php: [Snort] Snort START for LAN(re1)...
    Dec 14 16:02:24	kernel		        re1: promiscuous mode disabled
    

    Regards