SNORT OPENAPPID RULES DETECTORS offline install package?



  • SNORT OPENAPPID RULES DETECTORS is failing update because of certain geoip block.  I wonder if there is an alternate way like offline update install package file.



  • @techbee:

    SNORT OPENAPPID RULES DETECTORS is failing update because of certain geoip block.  I wonder if there is an alternate way like offline update install package file.

    I'm not aware of an offline download process….  But, I'm assuming you are using pfBlockerNG also since you mention a "geoip block".  If not, at least this will give you the IPs and Hosts you need to unblock.  Here is my fix for the TLD black/white lists to make it work for that rule set coming from Brazil.

    TLD blacklist
    br
    edu.br

    TLD whitelist
    www.ifs.edu.br|200.133.48.21 # for SNORT OpenAppID rule
    ifs.edu.br|200.133.48.21 # for SNORT OpenAppID rule
    thor.ifs.edu.br|200.133.48.21 # SNORT OpenAppID rule



  • no i dont use pfblockerng.



  • @techbee:

    no i dont use pfblockerng.

    You will need to whitelist those IP addresses or the country of Brazil if you want to use the provided OpenAppID rules.  See my response in your other thread about Snort failing to update.

    Bill



  • I think the issue is their servers. I am from Hong Kong and I have the exact error, when I try to go to www.ifs.edu.br, it displayed a firewall message saying it has a Geo-IP Block of Hong Kong.
    When i try to go to the website again using a VPN in the US, it display the website just fine.

    Is there a way to contact the author of the rules, or the university to unblock it?
    To me, it just doesn't seem fair to block an entire country just because some assholes abuses some servers happened to be located at said country.




  • And there is no way we can contact them to whitelist our public IP.



  • @techbee:

    And there is no way we can contact them to whitelist our public IP.

    I do not know the name of the admin contact nor the name of the individual that submitted the pull request which placed the OpenAppID rule set into the Snort GUI code.  I believe the tag name was "Demair" on the Github site for pfSense.  You may be able to initiate contact there.  Here is a link to his Github site:  https://github.com/Demair.

    Bill



  • I think the issue is their servers. I am from Hong Kong and I have the exact error, when I try to go to www.ifs.edu.br, it displayed a firewall message saying it has a Geo-IP Block of Hong Kong.
    When i try to go to the website again using a VPN in the US, it display the website just fine.

    anyway work around this? its definitely a GEO block. anyway to contact them? or maybe if someone knows the url? I can download the rules on a public server add a DNS override and on the firewall


Log in to reply