(Solved)Snort ACL exist?

  • Been working with snort this couple of weeks, which is a excellent piece of software and pfsense have done a great work in the integration.

    My question is related to ACL maybe snort doesn't know anything related to this stuff like squid does.

    Is possible to apply some rules to some LAN IP's for example, like a ACL?

    LAN IP-x u will be blocked by the rules social-media/media-streaming.
    LAN IP-y u will be blocked by rules media-streaming/webservices.

    Is possible this or snort doesn't work this way?

    Just curious, running latest pfsense 2.4.4_p2, thanks.

  • Snort can use the OpenAppID Layer 7 detection preprocessor to do what you want. You will have to write your own custom rules, though. Some info to get you started can be found here: https://docs.netgate.com/pfsense/en/latest/ids-ips/setup-snort-package.html#application-id-detection-with-openapp-id. To get a feel for writing your own rules (or copying and then customizing one of the existing rules), enable OpenAppID as shown in this doc. Then go to the RULES tab and open some of the OpenAppID rule category files from the drop-down selector. They will all have the prefix "openappid".

    And here is a YouTube video produced by a third-party showing the use of OpenAppID: https://www.youtube.com/watch?v=-GgqYq5-EBg.

  • @bmeeks reading learning, thanks again!!!

Log in to reply