Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenAppID app block?

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 3 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AnointedOne
      last edited by

      Good day

      Know it maybe a novice question but it is one I am searching about to no avail (thus far)

      QUestion is?: I am internested in the Layer 7 control features of snort to the effect of installing it on my pfsense machine. I have interests in blocking Apps and/or website on my network. This is to be done for mobile devices as well as laptops / tablets. I have already installed and configured snort with openappid as per the guide online.

      Sooooo what I was expecting to see was like say, using whatsapp on my phone not working, going on chrome for facebook being blocked etc. None is being blocked. I know it is working cause on my WAN it blocks ookla speedtest as well as accessing my cctv cameras from vpn or ddns.

      Am I using the right tool for my desires or am I doing something wrong? Thanks

      1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad
        last edited by

        Try running snort on the LAN interface.

        I had a quick play with openappid on my TEST subnet and it does block.

        Untitled.jpg
        Untitled.jpg_thumb

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • S
          silentnomad
          last edited by

          Yes, if the built-in rules you select don't match your requirements, you can write a custom rule to block a specific application. I just created this custom test rule to block WhatsApp:

          alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"WhatsApp";flow:from_client;appid:whatsapp; sid:1000056 ; classtype:misc-activity; rev:1;)

          …it blocks to a lesser or greater extent, see attached image of the alerts generated, and a lot depends on how up-to-date and accurate the Snort detectors are and how quickly the applications change. You can get a list of applications from the Snort snort-openappid.tar.gz file at https://www.snort.org/downloads#openappid

          2018-05-19_15-20-44.png
          2018-05-19_15-20-44.png_thumb

          1 Reply Last reply Reply Quote 2
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.