Snort 2.9.7.0 – Preview of new OpenAppID feature
-
Try this
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Facebook Reddit or Twitter applications"; appid: facebook facebook_apps reddit twitter twitter_link; classtype:misc-activity; sid:1000000; rev:1;)Wow, this is great, thank you!
I have run into an issue writing the example rule, and I'm wondering if it is because I'm on the 64-bit version of pfsense, or perhaps I just can't type :) Here is what I entered in the LAN custom rules:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"facebook Reddit or Twitter applicaionts"; appid: facebook facebook_apps reddit twitter twitter_link; sid:1000000; classtype:misc-activity; rev:1;)When I hit save, I get this error:
https://www.dropbox.com/s/ux2b3bz6vypu2gz/Screenshot%202014-12-19%2010.17.58.png?dl=0text is Custom rules have errors: Fatal Error, Quitting…ERROR: /usr/pbi/snort-amd64/etc/snort/snort_50141_em/rules/custom.rules(1) Rule options must be enclosed in '('and')'.
I have tried modifying my input to match what it suggests, but I keep getting the same error no matter what I do. Have I missed something blindingly obvious, or is there possibly something "different" about 64-bit pfsense that might be causing this - or anything else I cna check, really. Thanks, I'm really looking forward to using this!
-
Can we have a default syntax rule somewhere in there?
Just so we dont have to write the darn thing from scratch knowing that I will screw it up a million times :D
-
The rule for this syntax
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"facebook Reddit or Twitter applications"; appid: facebook facebook_apps reddit twitter twitter_link; sid:1000000; classtype:misc-activity; rev:1;)
Has this effect in firefox… Facebook is not working, Reddit is not working but Twitter works like a charm.
So no effect on Twitter...
-
The rule for this syntax
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"facebook Reddit or Twitter applications"; appid: facebook facebook_apps reddit twitter twitter_link; sid:1000000; classtype:misc-activity; rev:1;)
Has this effect in firefox… Facebook is not working, Reddit is not working but Twitter works like a charm.
So no effect on Twitter...
I had some problems with Twitter. As I posted in the Release Notes thread a few minutes ago, this is a brand new feature to Snort everywhere (and not just pfSense).
There are no absolute ironclad rules yet that I am aware of. I posted a link in the Release Notes thread to the VRT Blog site where you can find some more info.
Bill
-
But it should be so easy if PfSense had Layer 7 inspection built in??
ISA Server had it and it worked like a charm.
Tell it to block facebook and it did…Like Snort is doing now, but somehow much more elegant if you know what I mean.
-
http://rbgeek.wordpress.com/2012/05/29/how-to-block-facebook-in-mikrotik-using-l7-protocols-layer-7/
-
But it should be so easy if PfSense had Layer 7 inspection built in??
ISA Server had it and it worked like a charm.
Tell it to block facebook and it did…Like Snort is doing now, but somehow much more elegant if you know what I mean.
I would expect some collections of common app rules to start appearing as this feature becomes more widespread. Sourcefire (Cisco) just open-sourced this technology in Snort 2.9.7.0. That's why info is currently scarce.
Today it is a little awkward to use because you must write your own rules.
OpenAppID uses Lua scripts for the app detection coding. It might could be adapted into the pf L7 filter one day, but I'm not sure.
Bill
-
B bmeeks referenced this topic on