Layer 7 filtering



  • While pfsense dropped the Layer 7 filtering and suggested using Snort,  I don't know why other commercial firewall still have Layer 7 filtering on them. I forgot what commercial firewall was that, probably Sophos.



  • @techbee:

    While pfsense dropped the Layer 7 filtering and suggested using Snort,  I don't know why other commercial firewall still have Layer 7 filtering on them. I forgot what commercial firewall was that, probably Sophos.

    I believe it was because the Layer 7 filtering in pfSense was never great and it was a little hard to maintain.  I think it was more an experiment from one of the developers who has since departed.  The OpenAppID system now in Snort was open-sourced by Sourcefire soon after acquiring Snort.  It is modeled after some of their older proprietary stuff.  You have the basic engine available in the Snort binary, but to complete the circle and make it actually do something you need custom AppID rules.  A third party provider volunteered to create and maintain a cache of OpenAppID rules for the Snort package on pfSense.  Those rules are hosted on a University web site in Brazil.  You can enable their download in the Snort GUI on the GLOBAL SETTINGS tab.  Be aware, though, that the hosting web site does geo-blocking on certain countries.  If you reside in one of the countries they geo-block, then you won't be able to download the rules (at least not without using a VPN to get around the geo-blocking).

    Bill