Blocking OpenappID only on VLAN?

killmasta93

Hi
I was wondering if someone else has had this issue before, Currently i have a VLAN i need to block few websites using openappID. But what i noticed is that once i enable on the VLAN it also affects the LAN. What i did notice there is a part that says

Choose the Networks Snort Should Inspect and Whitelist

but cant seem to figure how to edit that part im guessing its adding the home net as the LAN instead leaving only the VLAN

Thank you

bmeeks

Snort runs on the physical interface (so the VLAN parent). That means it will always see all traffic on the physical interface (and so all VLANs running on that parent). You can't separate them out.

killmasta93

@bmeeks
Thanks for the reply, did not know that, is it possible to whitelist the LAN so it wont get blocked?
Thank you

bmeeks

@killmasta93 said in Blocking OpenappID only on VLAN?:

@bmeeks
Thanks for the reply, did not know that, is it possible to whitelist the LAN so it wont get blocked?
Thank you

You LAN hosts themselves should not be getting blocked. All locally-attached interfaces on the firewall are automatically added to the default Pass List (or whitelist, to use the more common term outside of the pfSense package). External hosts that a LAN host communicates with can get blocked, though. And with one end of the conversation blocked, that ends all traffic to and from that external host.

If you are experiencing actual blocks of internal LAN hosts (meaning the internal hosts IP addresses are showing up on the BLOCKS tab), then you have a configuration problem.

killmasta93

@bmeeks Thanks for the reply, the internal host do not appear on the alert tab it appears only the external IP such as facebook but it affects the LAN, which should only be applied on the VLAN

currently its off right now because users where complaining

bmeeks

The OpenAppID part of Snort is best used with Inline IPS Mode. But you need NICs that are supported by netmap via the new iflib wrapper in FreeBSD 12. If you have such a NIC, then I would advise you to switch over to Inline IPS Mode and use the SID MGMT tab features to selectively set some rules to DROP and leave others at ALERT.

Legacy Mode blocking is really too big of a "hammer" to use for policing workplace policy things like social media usage. Legacy Mode blocks IP addresses completely, and that can break a lot of stuff. Inline IPS Mode selectively drops only individual packets. It does not permanently block anything. So Inline IPS Mode would drop all packets that are related to WhatsApp, but not block other traffic even if it was to the same external host IP.

Your problem is further complicated by using VLANs. Snort is not able to differentiate the various IP subnets on the VLANs because it runs at the physical (parent) interface level and sees all traffic on the wire.

Why are you using OpenAppID anyway? Do you want to actively block social media stuff, or do you just want to know if it is traversing your network?

If you don't care about social media traffic on your network, just turn off OpenAppID because you don't need it if you don't want to block such traffic. If you just want to monitor for such traffic, but not block it, then you must either turn off blocking completely, or use Inline IPS Mode with a compatible NIC and use SID MGMT conf files to set the action for rules you wish to actually block stuff from ALERT to DROP. You would leave the OpenAppID rules set for ALERT, so they just log alerts but don't block traffic.

If you do want to block the traffic, then you will find Inline IPS Mode is better suited for OpenAppID. That's because Inline IPS Mode can filter individual packets without need to block every single thing to the external host IP.

killmasta93

@bmeeks
Thanks for the reply, currently i need to block social network on the VLAN which only connect mobile devices, as on my LAN i run WPAD squidguard and squid so i have no issue but because not all mobiles dont have the auto detect feature which is why i thought snort could apply to this
How could i check if the NIC has iflib? Its currently on a dell r720 virtualized on proxmox

bmeeks

@killmasta93 said in Blocking OpenappID only on VLAN?:

@bmeeks
Thanks for the reply, currently i need to block social network on the VLAN which only connect mobile devices, as on my LAN i run WPAD squidguard and squid so i have no issue but because not all mobiles dont have the auto detect feature which is why i thought snort could apply to this
How could i check if the NIC has iflib? Its currently on a dell r720 virtualized on proxmox

If your NIC driver is one of the following, then it will support Inline IPS Mode:

'cc', 'cxl', 'cxgbe', 'em', 'igb', 'em', 'lem', 'ix', 'ixgbe', 'ixl', 're', 'vtnet', 'ena', 'ice', 'bnxt', 'vmx'

killmasta93

@bmeeks
Thanks for the reply, i believe i have vtnet
but in theory its pointless to try it out because the VLAN i need to block social network would also block on my LAN