[Snort-openappid] Snort with openappid doesn't block android apps

Y M snort at ...46...
Thu Nov 19 11:02:52 EST 2015


Do you have a pcap to test with for the traffic that is not being blocked? You maybe looking at the session after its encrypted.

Please post your question to the relative list and not all of the lists at once. Makes tracking and responding a lot easier :)



On Thu, Nov 19, 2015 at 7:55 AM -0800, "Navneet Singh" <navneet.singh2012 at ...47.....8...<mailto:navneet.singh2012 at ...8...>> wrote:

Hi All

I am testing snort 2.9.7.6 with openappid on ARM platform. Snort is using nfq as daq mode and i am able to block various sites as per their appid rules in various browsers. But none of the appid that also has its own android application is blocking on the client, however if i browse the same site using browser on the client it is blocking fine. I tried known applications like facebook, youtube, whatsapp but none is able to block.

I use this command
sudo snort -Q --daq nfq --daq-var device=wlan1 --daq-var queue=1 -c /etc/snort/snort.conf -A console

followed by
sudo iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
sudo iptables -I FORWARD -j NFQUEUE --queue-num 1
sudo iptables -I INPUT -j NFQUEUE --queue-num 1
sudo iptables -I OUTPUT -j NFQUEUE --queue-num 1
to run snort.

Here wlan1 is in AP mode and other clients are connected to this interface.

I am also attaching snort.conf, local.rules files and logs when i run snort.

Please help me with this issue.

--
Regards
Navneet

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20151119/2cfc56db/attachment.html>


More information about the Snort-openappid mailing list