[Snort-openappid] Snort with openappid doesn't block android apps

Navneet Singh navneet.singh2012 at ...8...
Thu Nov 19 23:35:45 EST 2015


Thanks for your quick response and help.

Attaching wireshark captures:
*chrome.pcapng* - working (snort could block youtube) when try to open from
*youtubeapp.pcapng* - non working (snort could not block youtube) when try
to open from youtube application.

Please have a look on them and help me in figuring the issue.


On Thu, Nov 19, 2015 at 9:34 PM, Costas Kleopa (ckleopa) <ckleopa at ...5...>

> Can you also try adding this in your snort command line, so you can access
> bad checksums and jumbo frames?
>  -k none -P 9000
> Thanks
> Costas
> On Nov 19, 2015, at 10:53 AM, Navneet Singh <navneet.singh2012 at ...8...>
> wrote:
> Hi All
> I am testing snort with openappid on ARM platform. Snort is using
> nfq as daq mode and i am able to block various sites as per their appid
> rules in various browsers. But none of the appid that also has its own
> android application is blocking on the client, however if i browse the same
> site using browser on the client it is blocking fine. I tried known
> applications like facebook, youtube, whatsapp but none is able to block.
> I use this command
> sudo snort -Q --daq nfq --daq-var device=wlan1 --daq-var queue=1 -c
> /etc/snort/snort.conf -A console
> followed by
> sudo iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
> sudo iptables -I FORWARD -j NFQUEUE --queue-num 1
> sudo iptables -I INPUT -j NFQUEUE --queue-num 1
> sudo iptables -I OUTPUT -j NFQUEUE --queue-num 1
> to run snort.
> Here wlan1 is in AP mode and other clients are connected to this interface.
> I am also attaching snort.conf, local.rules files and logs when i run
> snort.
> Please help me with this issue.
> --
> Regards
> Navneet
> <snort.conf><local.rules><snort_log>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-openappid mailing list
> Snort-openappid at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-openappid
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20151120/ef8f43c0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: youtubeapp.pcapng
Type: application/x-pcapng
Size: 1359628 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20151120/ef8f43c0/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: chrome.pcapng
Type: application/x-pcapng
Size: 27584 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20151120/ef8f43c0/attachment-0001.bin>

More information about the Snort-openappid mailing list