Snort 2.9.7.0 – Preview of new OpenAppID feature



  • I have been working on the update to version 2.9.7.0 for the Snort package.  It is almost ready to go.  One of the coolest new features is the introduction of OpenAppID support.  This allows detection of over 2400 applications by the Snort engine.  You can find out about the new feature in these VRT Blog posts:

    http://blog.snort.org/2014/03/firing-up-openappid.html
    http://blog.snort.org/search/label/openappid

    To illustrate some of the possibilities of this new feature, I have assembled some screen captures from my recent testing.

    First, to enable OpenAppID, you will go to the GLOBAL SETTINGS tab and enable download of the OpenAppID package.  There will be a provision for editing the URL should that become necessary in the future, but for now the included default should work.

    Click on the UPDATES tab and click the Update button to download the latest OpenAppID package.  In the example below, the OpenAppID package was last downloaded on November 13, 2014.

    Next, go to the PREPROCESSORS tab and scroll down to enable the OpenAppID preprocessor as shown below.

    There is no existing set of ready-to-go app detection rules for Snort yet.  However, you can use the existing Custom Rules option in the Snort package to create your own rules.  Below is a sample rule designed to detect users attempting to use Facebook, Reddit or Twitter.  This is just a simple example rule for testing.  It is also vital that you always include a "classtype:" keyword in your custom rules.  Failure to do this will cause Snort to segfault and exit when the rule fires!

    After entering the test rule above and saving it, I used a browser client to attempt to browse to https://www.facebook.com/.  Below are the alerts from the ALERTS tab and the resulting blocks from the BLOCKED tab in Snort.

    Alerts from OpenAppID rule

    Blocks from OpenAppID alert

    Look for the new Snort 2.9.7.0 package soon… :)

    Bill


  • Banned

    Words cant describe how I feel about this….. LOVE



  • This is awesome! Thank you for all your work!

    So does that mean that this feature can be used instead of setting up a proxy and block lists to block certain websites/applications? Also, this works through SSL without the need of any additional software to MITM the connection?



  • @Heli0s:

    This is awesome! Thank you for all your work!

    So does that mean that this feature can be used instead of setting up a proxy and block lists to block certain websites/applications? Also, this works through SSL without the need of any additional software to MITM the connection?

    I'm not sure exactly how the SSL part works.  I know it is not actually decoding the entire SSL session, and it does not need any kind of MITM infrastructure.  I did attempt to browse directly to https://www.facebook.com and got blocked.  Also got all the alerts you see in my screen capture.  Also, you can see the destination port was 443, so that's further evidence SSL was in play.  I was using two VMware VMs.  One was a pfSense box and the other was a WinXP box configured so it was using the pfSense box as the gateway.

    The detectors are open source and written as Lua scripts, so you can download the package and examine the internals to see how it works.

    EDIT:  I took a look at some of the Lua scripts, and for SSL sites they basically look at the SSL Cert exchange and pick out SSL hosts from it.  That's how it can identify Facebook, for example, in an HTTPS URL.  It's not looking inside the encrypted SSL, instead it examines the initial SSL cert set up conversation to key off the host.

    Bill



  • @Supermule:

    Words cant describe how I feel about this….. LOVE

    This, times 10  ;D



  • When will you release this update??  :P



  • @simby:

    When will you release this update??  :P

    My part of the new code is complete.  There are some additional options being considered by the pfSense Team to take full advantage of the new OpenAppID feature.  I am waiting for them to notify me when they are ready for me to post the code for final review.

    Bill



  • You are making difficult even for me choosing between snort and suricata  :D

    An excellent feature, maybe this will help all the people wishing to block specific things (facebook, youtube) without any additional package.



  • @jflsakfja:

    You are making difficult even for me choosing between snort and suricata  :D

    An excellent feature, maybe this will help all the people wishing to block specific things (facebook, youtube) without any additional package.

    Sorry about that …  ;D.

    Will be posting a Suricata 2.0.4 preview thread shortly.  I'm adding GeoIP and IP Reputation support to Suricata in the 2.0.4 update.  That pull request is currently posted for review by the pfSense developers.

    Bill



  • Just installed the package (upgraded from 2.9.6.2), and Snort disappeared from the Services.

    System:Package Manager still lists the snort package as installed.

    Rebooting pfSense does not help. Any ideas?

    Thank you



  • Same here… lost Snort selection under Services.

    Can access it with this link ... http://x.x.x.x/snort/snort_interfaces.php



  • OpenID detection package link comes up blank when the the option is checked.



  • Ya, when enabling, it gives the error "You must supply a download URL in the box provided in order to enable OpenAppID detectors!"

    But, there is no box.  :(




  • @priller:

    Ya, when enabling, it gives the error "You must supply a download URL in the box provided in order to enable OpenAppID detectors!"

    But, there is no box.  :(

    That is the same I am having on my pfsense. I guess there is a little bug, which be fixed soon.



  • I confirm the same problem, no url field comes up…..



  • same problem (pfsense 2.2 rc x64)
    bmeeks help :)



  • sorry.  there was a problem with the pull request.  I will fix it, but I need a little time.  I am not at home.

    Bill



  • @G.D.:

    Just installed the package (upgraded from 2.9.6.2), and Snort disappeared from the Services.

    System:Package Manager still lists the snort package as installed.

    Rebooting pfSense does not help. Any ideas?

    Thank you

    Did you stuck on the Install screen that says "Waiting for Snort to start…."? and you clicked on something else?
    I found if you didn't let the install finishes Snort will disappear from the Service list.
    Because there is a bit more installs process after the "Waiting for Snort to start..." message.
    I had my search method set on AC for both WAN and LAN and it takes AGES and I mean AGES for Snort to start.

    Hope this helps.

    Val



  • Thanks to Renato for helping me out.  A fix was posted this morning that should correct the bogus validation error when enabling the new OpenAppID download under GLOBAL SETTINGS.

    I will post a separate release notes thread.

    For those of you having the service disappear from the menu, make sure you have space available on /tmp and /var.  Also give Snort plenty of time to restart.  Depending on your setup, this can take a while.  You will get a confirmation message on the screen.

    Bill



  • Wow, this is great, thank you!
    I have run into an issue writing the example rule, and I'm wondering if it is because I'm on the 64-bit version of pfsense, or perhaps I just can't type :)  Here is what I entered in the LAN custom rules:
    alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"facebook Reddit or Twitter applicaionts"; appid: facebook facebook_apps reddit twitter twitter_link; sid:1000000; classtype:misc-activity; rev:1;)

    When I hit save, I get this error:
    https://www.dropbox.com/s/ux2b3bz6vypu2gz/Screenshot%202014-12-19%2010.17.58.png?dl=0

    text is Custom rules have errors: Fatal Error, Quitting…ERROR: /usr/pbi/snort-amd64/etc/snort/snort_50141_em/rules/custom.rules(1) Rule options must be enclosed in '('and')'.

    I have tried modifying my input to match what it suggests, but I keep getting the same error no matter what I do.  Have I missed something blindingly obvious, or is there possibly something "different" about 64-bit pfsense that might be causing this - or anything else I cna check, really.  Thanks, I'm really looking forward to using this!



  • Try this

    alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Facebook Reddit or Twitter applications"; appid: facebook facebook_apps reddit twitter twitter_link; classtype:misc-activity; sid:1000000; rev:1;)
    

    @snm777:

    Wow, this is great, thank you!
    I have run into an issue writing the example rule, and I'm wondering if it is because I'm on the 64-bit version of pfsense, or perhaps I just can't type :)  Here is what I entered in the LAN custom rules:
    alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"facebook Reddit or Twitter applicaionts"; appid: facebook facebook_apps reddit twitter twitter_link; sid:1000000; classtype:misc-activity; rev:1;)

    When I hit save, I get this error:
    https://www.dropbox.com/s/ux2b3bz6vypu2gz/Screenshot%202014-12-19%2010.17.58.png?dl=0

    text is Custom rules have errors: Fatal Error, Quitting…ERROR: /usr/pbi/snort-amd64/etc/snort/snort_50141_em/rules/custom.rules(1) Rule options must be enclosed in '('and')'.

    I have tried modifying my input to match what it suggests, but I keep getting the same error no matter what I do.  Have I missed something blindingly obvious, or is there possibly something "different" about 64-bit pfsense that might be causing this - or anything else I cna check, really.  Thanks, I'm really looking forward to using this!


  • Banned

    Can we have a default syntax rule somewhere in there?

    Just so we dont have to write the darn thing from scratch knowing that I will screw it up a million times :D


  • Banned

    The rule for this syntax

    alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"facebook Reddit or Twitter applications"; appid: facebook facebook_apps reddit twitter twitter_link; sid:1000000; classtype:misc-activity; rev:1;)

    Has this effect in firefox… Facebook is not working, Reddit is not working but Twitter works like a charm.

    So no effect on Twitter...



  • @Supermule:

    The rule for this syntax

    alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"facebook Reddit or Twitter applications"; appid: facebook facebook_apps reddit twitter twitter_link; sid:1000000; classtype:misc-activity; rev:1;)

    Has this effect in firefox… Facebook is not working, Reddit is not working but Twitter works like a charm.

    So no effect on Twitter...

    I had some problems with Twitter.  As I posted in the Release Notes thread a few minutes ago, this is a brand new feature to Snort everywhere (and not just pfSense).

    There are no absolute ironclad rules yet that I am aware of.  I posted a link in the Release Notes thread to the VRT Blog site where you can find some more info.

    Bill


  • Banned

    But it should be so easy if PfSense had Layer 7 inspection built in??

    ISA Server had it and it worked like a charm.

    Tell it to block facebook and it did…Like Snort is doing now, but somehow much more elegant if you know what I mean.


  • Banned



  • @Supermule:

    But it should be so easy if PfSense had Layer 7 inspection built in??

    ISA Server had it and it worked like a charm.

    Tell it to block facebook and it did…Like Snort is doing now, but somehow much more elegant if you know what I mean.

    I would expect some collections of common app rules to start appearing as this feature becomes more widespread.  Sourcefire (Cisco) just open-sourced this technology in Snort 2.9.7.0.  That's why info is currently scarce.

    Today it is a little awkward to use because you must write your own rules.

    OpenAppID uses Lua scripts for the app detection coding.  It might could be adapted into the pf L7 filter one day, but I'm not sure.

    Bill


Log in to reply