[Snort-openappid] Using Snort on pfsense

Y M snort at outlook.com
Fri Apr 20 14:41:35 EDT 2018


I guess additional testing is required. Maybe disable all AppIDs and just enable a couple and test with different browsers or computers. In many cases, SSL interception is not required. The detectors may look for content in DNS, CN match in the SSL handshake if the SSL handshake is present in the traffic, URIs etc. If you have the time, I suggest that you take a look at the contents of the detectors. They are easy to understand and will help you troubleshoot.

Thanks.
YM

________________________________
From: Cory Juillerat <cjuillerat at ztlsd.org>
Sent: Friday, April 20, 2018 9:27 PM
To: Y M
Cc: snort-openappid at lists.snort.org
Subject: Re: [Snort-openappid] Using Snort on pfsense

Thanks Y M,

That is actually the video I watched go setup Snort or pfsense, which was an awesome video. I remember seeing things come in like netflix. Since I have a pretty large network, I am wondering if pfsense int capturing everyone's request via Snort.... for example, I visited netflix on my computer and searched for my IP address on the alerts page and saw my request. But the next thing I did was visit Facebook and nothing showed up when viewing alerts and searching for my IP address.

On Fri, Apr 20, 2018, 2:15 PM Y M via Snort-openappid <snort-openappid at lists.snort.org<mailto:snort-openappid at lists.snort.org>> wrote:

Cory,


The AppID detectors are open-source and are available on the Snort website. So I don't think the subscription is at play here. In an earlier thread, I posted a link to a YouTube video for configuring AppID on pfsense. The presenter showed that AppID is picking up Netflix, among other apps. Here is the link for the video https://youtu.be/-GgqYq5-EBg


Hope this helps.

YM


________________________________
From: Snort-openappid <snort-openappid-bounces at lists.snort.org<mailto:snort-openappid-bounces at lists.snort.org>> on behalf of Cory Juillerat <cjuillerat at ztlsd.org<mailto:cjuillerat at ztlsd.org>>
Sent: Friday, April 20, 2018 8:30 PM
To: snort-openappid at lists.snort.org<mailto:snort-openappid at lists.snort.org>
Subject: [Snort-openappid] Using Snort on pfsense

Good afternoon,

I decided to recently try Snort mainly for the App ID capability.. I work at a school so students are always using social networking apps and streaming media apps. I created the WAN interface and started the Snort process on this interface. I am using the predefined balanced IPS policy and I also placed a check in all of the check boxes underneath Snort OPENAPPI Rules and Ruleset: ET Open Rules.

Now onto the issue I am having.. When I go to the alerts tab, most of what I see is Chrome and http traffic underneath description. There are no social networking or streaming services populating, even though I know people are using them. Does the free subscription just not have the most up to date App ID's, so nothing is coming up?

Thank you,


Cory Juillerat, M.S.

Director of Technology

Phone: 740.772.7667

Email: cjuillerat at ztlsd.org<mailto:cjuillerat at ztlsd.org>

 [https://docs.google.com/uc?export=download&id=0BypS4zJkjjk0a28xcmdCTVg0emM&revid=0BypS4zJkjjk0RHQ5eVpHMm1ROUozUFUvUE1vVjdCTEpKLzVzPQ]

_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.snort.org<mailto:Snort-openappid at lists.snort.org>
https://lists.snort.org/mailman/listinfo/snort-openappid

Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20180420/566ac11f/attachment.html>


More information about the Snort-openappid mailing list