OpenAppID app block?



  • Good day

    Know it maybe a novice question but it is one I am searching about to no avail (thus far)

    QUestion is?: I am internested in the Layer 7 control features of snort to the effect of installing it on my pfsense machine. I have interests in blocking Apps and/or website on my network. This is to be done for mobile devices as well as laptops / tablets. I have already installed and configured snort with openappid as per the guide online.

    Sooooo what I was expecting to see was like say, using whatsapp on my phone not working, going on chrome for facebook being blocked etc. None is being blocked. I know it is working cause on my WAN it blocks ookla speedtest as well as accessing my cctv cameras from vpn or ddns.

    Am I using the right tool for my desires or am I doing something wrong? Thanks


  • Galactic Empire

    Try running snort on the LAN interface.

    I had a quick play with openappid on my TEST subnet and it does block.




  • Yes, if the built-in rules you select don't match your requirements, you can write a custom rule to block a specific application. I just created this custom test rule to block WhatsApp:

    alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"WhatsApp";flow:from_client;appid:whatsapp; sid:1000056 ; classtype:misc-activity; rev:1;)

    …it blocks to a lesser or greater extent, see attached image of the alerts generated, and a lot depends on how up-to-date and accurate the Snort detectors are and how quickly the applications change. You can get a list of applications from the Snort snort-openappid.tar.gz file at https://www.snort.org/downloads#openappid



 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy