OpenAppID app block?
Know it maybe a novice question but it is one I am searching about to no avail (thus far)
QUestion is?: I am internested in the Layer 7 control features of snort to the effect of installing it on my pfsense machine. I have interests in blocking Apps and/or website on my network. This is to be done for mobile devices as well as laptops / tablets. I have already installed and configured snort with openappid as per the guide online.
Sooooo what I was expecting to see was like say, using whatsapp on my phone not working, going on chrome for facebook being blocked etc. None is being blocked. I know it is working cause on my WAN it blocks ookla speedtest as well as accessing my cctv cameras from vpn or ddns.
Am I using the right tool for my desires or am I doing something wrong? Thanks
Try running snort on the LAN interface.
I had a quick play with openappid on my TEST subnet and it does block.
Yes, if the built-in rules you select don't match your requirements, you can write a custom rule to block a specific application. I just created this custom test rule to block WhatsApp:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"WhatsApp";flow:from_client;appid:whatsapp; sid:1000056 ; classtype:misc-activity; rev:1;)
…it blocks to a lesser or greater extent, see attached image of the alerts generated, and a lot depends on how up-to-date and accurate the Snort detectors are and how quickly the applications change. You can get a list of applications from the Snort snort-openappid.tar.gz file at https://www.snort.org/downloads#openappid