[Snort-openappid] Snort with openappid doesn't block android apps

Navneet Singh navneet.singh2012 at ...8...
Mon Nov 23 01:03:11 EST 2015


Hi All

I am testing snort 2.9.7.6 with openappid on ARM platform. Snort is using
nfq as daq mode and i am able to block various sites as per their appid
rules in various browsers. But none of the appid that also has its own
android application is blocking on the client, however if i browse the same
site using browser on the client it is blocking fine. I tried known
applications like facebook, youtube, whatsapp but none is able to block.

I use this command
sudo snort -Q --daq nfq --daq-var device=wlan1 --daq-var queue=1 -c
/etc/snort/snort.conf -A console

followed by
sudo iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
sudo iptables -I FORWARD -j NFQUEUE --queue-num 1
sudo iptables -I INPUT -j NFQUEUE --queue-num 1
sudo iptables -I OUTPUT -j NFQUEUE --queue-num 1
to run snort.

Here wlan1 is in AP mode and other clients are connected to this interface.

I am attaching snort.conf, local.rules files and logs when i run snort.
Also attaching pcap files as following:
*chrome.pcapng* - working (snort could block youtube) when try to open from
chrome
*youtubeapp.pcapng* - non working (snort could not block youtube) when try
to open from youtube application.

Please help me with this issue.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20151123/c544133a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: chrome.pcapng
Type: application/x-pcapng
Size: 27584 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20151123/c544133a/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: youtubeapp.pcapng
Type: application/x-pcapng
Size: 1359628 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20151123/c544133a/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.conf
Type: application/octet-stream
Size: 27134 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20151123/c544133a/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: local.rules
Type: application/octet-stream
Size: 900 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20151123/c544133a/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort_log
Type: application/octet-stream
Size: 54026 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20151123/c544133a/attachment-0002.obj>


More information about the Snort-openappid mailing list