Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort:I excluded IPs from OpenApp ID facebook alert rule, but fb blocked for all

    IDS/IPS
    1
    1
    2196
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      san last edited by

      Hi There

      I have problem blocking facebook in snort for a part of IP addresses.

      My LAN custom rules:
      ipvar FREE4ALL [192.168.1.2,192.168.1.3,192.168.1.5,192.168.1.6,192.168.1.10]
      alert tcp !$FREE4ALL any -> any any (msg:"LAN OpenAppID - Facebook"; appid: facebook facebook_apps facebook_chat; sid:800000; classtype:misc-activity; rev:1;)
      alert tcp !$FREE4ALL any -> any any (msg:"LAN OpenAppID - YouTube"; appid: youtube youtube_upload; sid:800001; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (msg:"LAN OpenAppID - BitTorrent - any"; appid: bt; sid:800002; classtype:misc-activity; rev:1;)

      I defined an IP variable and negated it in my alert rules to get alert only from the IPs not listed in the variable. This way i want to allow Facebook and Youtube for some people, but deny for the rest. Alerts works fine, they only appears from the IPs not listed in FREE4ALL but Facebook and YouTube sites are blocked for all IPs including the ones listed above. When I clear the list of blocked hosts, the problem disappears for a while.

      I thought that block src/dst option means that snort creates one firewall rule to block the destination IP for the source IP but this behavior makes me confused.

      My goal is to block bittorrent traffic, social and online media sites for most clients, then to priorize the rest of the traffic without the need of a proxy and ssl interception.

      Can someone point on why facebook is blocked for all? Other question from this is how to avoid blocking an allowed site if two services (like google apps and youtube) uses the same CDN and sometimes shares the same IP address?

      I used several UTM distributions in the past and for me pfSense is the second after Sophos UTM in features and the first in performance, and I want to keep with it! Snort OpenAppID preprocessor fills the last hole compared to Sophos (Web Protection/Application Control) but it seems it can only work (drop packets) in inline mode. Still very good to see, that the OpenAppID alerts are very accurate!!

      Thank you for your time, -s-

      1 Reply Last reply Reply Quote 0
      • First post
        Last post