Snort:I excluded IPs from OpenApp ID facebook alert rule, but fb blocked for all

  • Hi There

    I have problem blocking facebook in snort for a part of IP addresses.

    My LAN custom rules:
    ipvar FREE4ALL [,,,,]
    alert tcp !$FREE4ALL any -> any any (msg:"LAN OpenAppID - Facebook"; appid: facebook facebook_apps facebook_chat; sid:800000; classtype:misc-activity; rev:1;)
    alert tcp !$FREE4ALL any -> any any (msg:"LAN OpenAppID - YouTube"; appid: youtube youtube_upload; sid:800001; classtype:misc-activity; rev:1;)
    alert tcp any any -> any any (msg:"LAN OpenAppID - BitTorrent - any"; appid: bt; sid:800002; classtype:misc-activity; rev:1;)

    I defined an IP variable and negated it in my alert rules to get alert only from the IPs not listed in the variable. This way i want to allow Facebook and Youtube for some people, but deny for the rest. Alerts works fine, they only appears from the IPs not listed in FREE4ALL but Facebook and YouTube sites are blocked for all IPs including the ones listed above. When I clear the list of blocked hosts, the problem disappears for a while.

    I thought that block src/dst option means that snort creates one firewall rule to block the destination IP for the source IP but this behavior makes me confused.

    My goal is to block bittorrent traffic, social and online media sites for most clients, then to priorize the rest of the traffic without the need of a proxy and ssl interception.

    Can someone point on why facebook is blocked for all? Other question from this is how to avoid blocking an allowed site if two services (like google apps and youtube) uses the same CDN and sometimes shares the same IP address?

    I used several UTM distributions in the past and for me pfSense is the second after Sophos UTM in features and the first in performance, and I want to keep with it! Snort OpenAppID preprocessor fills the last hole compared to Sophos (Web Protection/Application Control) but it seems it can only work (drop packets) in inline mode. Still very good to see, that the OpenAppID alerts are very accurate!!

    Thank you for your time, -s-

Log in to reply