[WORK] snort: blocking layer 7 protocols - custom rule for block openvpn
-
Hi.
I have enable OpenAppID at snort on pfSense 2.3.2_1.
I did a custom rule for block openVPN:
alert udp any any -> any any (msg: "OpenVPN"; classtype:attempted-recon; appid: openvpn ; sid:9000001; rev:1;)
Is right sintaxt/format for this rule?
In my log I see:
Nov 3 16:58:28 snort 32611 AppInfo: AppId 4110 is UNKNOWN Nov 3 16:58:28 snort 32611 Invalid direct service AppId, 4110, for 0x80a492500 0x819ade3c0 Nov 3 16:58:28 snort 32611 AppInfo: AppId 4043 is UNKNOWN Nov 3 16:58:28 snort 32611 AppInfo: AppId 4109 is UNKNOWN Nov 3 16:58:28 snort 32611 AppInfo: AppId 4115 is UNKNOWN
Regards
-
Hi.
:)
All right, now work fine to me:
I did it:
- Services > Snort > Global Settings > Sourcefire OpenAppID Detectors
Click to enable download of Sourcefire OpenAppID Detectors- Services > Snort > Preprocessors and Flow > LAN > Application ID Detection
Use OpenAppID to detect various applications. Default is Not Checked.The snort custom rules in LAN:
alert tcp any any -> any any (msg:"Facebook1"; appid: facebook; sid: 9000101; classtype:misc-activity; rev:1;) alert udp any any -> any any (msg:"OpenVPN"; appid: openvpn;sid: 9000103; classtype:misc-activity; rev:1;) alert tcp any any -> any any (msg:"Facebook2"; appid: facebook_apps;sid: 9000105; classtype:misc-activity; rev:1;) alert tcp any any -> any any (msg:"Facebook3"; appid: facebook_like;sid: 9000107; classtype:misc-activity; rev:1;) alert tcp any any -> any any (msg:"Twitter1"; appid: twitter;sid: 9000109; classtype:misc-activity; rev:1;)
- restart Snort service
And now my pfSense drop OpenVPN traffic at lan side (and facebook and twitter)
Regards
-
Hi.
At my LAN, I only detect traffic with openVPN over UDP.
But for block via snort & OpenAppID, the custom rule openVPN over TCP & UDP:
alert udp any any -> any any (msg:"OpenVPN"; appid: openvpn;sid: 9000201; classtype:misc-activity; rev:1;) alert tcp any any -> any any (msg:"OpenVPN"; appid: openvpn;sid: 9000202; classtype:misc-activity; rev:1;)
Regards
-
Hi
There are too many factors in a snort / pfsense configuration to know what fails without knowing the whole configuration.
Do you have the lan interface configured in snort?
Regards.
-
-
Hi.
This alerts are not real problem, do not worry.
Time Process PID Message Dec 14 16:02:30 kernel re1: promiscuous mode enabled Dec 14 16:02:26 snort 91336 AppInfo: AppId 4110 is UNKNOWN Dec 14 16:02:26 snort 91336 Invalid direct service AppId, 4110, for 0x80a2ab500 0x819d303c0 Dec 14 16:02:26 snort 91336 AppInfo: AppId 4043 is UNKNOWN Dec 14 16:02:26 snort 91336 AppInfo: AppId 4109 is UNKNOWN Dec 14 16:02:26 snort 91336 AppInfo: AppId 4115 is UNKNOWN Dec 14 16:02:25 php-fpm 85745 /snort/snort_interfaces.php: [Snort] Snort START for LAN(re1)... Dec 14 16:02:24 kernel re1: promiscuous mode disabled
Regards