[WORK] snort: blocking layer 7 protocols - custom rule for block openvpn

javcasta · Nov 4, 2016, 2:58 PM

Hi.

I have enable OpenAppID at snort on pfSense 2.3.2_1.

I did a custom rule for block openVPN:

alert udp any any -> any any (msg: "OpenVPN"; classtype:attempted-recon; appid: openvpn ; sid:9000001; rev:1;)

Is right sintaxt/format for this rule?

In my log I see:

Nov 3 16:58:28 	snort 	32611 	AppInfo: AppId 4110 is UNKNOWN
Nov 3 16:58:28 	snort 	32611 	Invalid direct service AppId, 4110, for 0x80a492500 0x819ade3c0
Nov 3 16:58:28 	snort 	32611 	AppInfo: AppId 4043 is UNKNOWN
Nov 3 16:58:28 	snort 	32611 	AppInfo: AppId 4109 is UNKNOWN
Nov 3 16:58:28 	snort 	32611 	AppInfo: AppId 4115 is UNKNOWN

Regards

javcasta · Nov 4, 2016, 2:57 PM

Hi.

:)

All right, now work fine to me:

I did it:

- Services > Snort > Global Settings > Sourcefire OpenAppID Detectors

Click to enable download of Sourcefire OpenAppID Detectors

- Services > Snort > Preprocessors and Flow > LAN > Application ID Detection

Use OpenAppID to detect various applications. Default is Not Checked.

The snort custom rules in LAN:

alert tcp any any -> any any (msg:"Facebook1"; appid: facebook; sid: 9000101; classtype:misc-activity; rev:1;)
alert udp any any -> any any (msg:"OpenVPN"; appid: openvpn;sid: 9000103; classtype:misc-activity; rev:1;)
alert tcp any any -> any any (msg:"Facebook2"; appid: facebook_apps;sid: 9000105; classtype:misc-activity; rev:1;)
alert tcp any any -> any any (msg:"Facebook3"; appid: facebook_like;sid: 9000107; classtype:misc-activity; rev:1;)
alert tcp any any -> any any (msg:"Twitter1"; appid: twitter;sid: 9000109; classtype:misc-activity; rev:1;)

restart Snort service

And now my pfSense drop OpenVPN traffic at lan side (and facebook and twitter)

Regards

javcasta · Nov 10, 2016, 11:39 AM

Hi.

At my LAN, I only detect traffic with openVPN over UDP.

But for block via snort & OpenAppID, the custom rule openVPN over TCP & UDP:

alert udp any any -> any any (msg:"OpenVPN"; appid: openvpn;sid: 9000201; classtype:misc-activity; rev:1;)
alert tcp any any -> any any (msg:"OpenVPN"; appid: openvpn;sid: 9000202; classtype:misc-activity; rev:1;)

Regards

javcasta · Nov 27, 2016, 2:35 PM

Hi

There are too many factors in a snort / pfsense configuration to know what fails without knowing the whole configuration.

Do you have the lan interface configured in snort?

Regards.

javcasta · Nov 28, 2016, 9:57 AM

Hi.

https://forum.pfsense.org/index.php?topic=23265.0

Regards.

javcasta · Dec 14, 2016, 2:19 PM

Hi.

This alerts are not real problem, do not worry.

Time                         Process	PID	        Message
Dec 14 16:02:30	kernel                      re1: promiscuous mode enabled
Dec 14 16:02:26	snort	91336	AppInfo: AppId 4110 is UNKNOWN
Dec 14 16:02:26	snort	91336	Invalid direct service AppId, 4110, for 0x80a2ab500 0x819d303c0
Dec 14 16:02:26	snort	91336	AppInfo: AppId 4043 is UNKNOWN
Dec 14 16:02:26	snort	91336	AppInfo: AppId 4109 is UNKNOWN
Dec 14 16:02:26	snort	91336	AppInfo: AppId 4115 is UNKNOWN
Dec 14 16:02:25	php-fpm	85745	/snort/snort_interfaces.php: [Snort] Snort START for LAN(re1)...
Dec 14 16:02:24	kernel		        re1: promiscuous mode disabled

Regards