[Snort-openappid] Using Snort on pfsense

Costas Kleopa (ckleopa) ckleopa at cisco.com
Mon Apr 23 10:39:33 EDT 2018


I just want to double check if you are using the “-k none” to not ignore traffic bad checksums and “-P 9000 “ to handle jumbo frames.

If that’s already there and it’s not working, try testing it with something other than Facebook. Some of the traffic from Facebook is not using the standard TLS protocol, they have a slightly different version of their own in which it’s causing us not to identify it. We have an upcoming update on the Open Source Package which will allow us to detect the Facebook traffic better.


From: Snort-openappid <snort-openappid-bounces at lists.snort.org> on behalf of Cory Juillerat <cjuillerat at ztlsd.org>
Date: Friday, April 20, 2018 at 2:28 PM
To: Y M <snort at outlook.com>
Cc: "snort-openappid at lists.snort.org" <snort-openappid at lists.snort.org>
Subject: Re: [Snort-openappid] Using Snort on pfsense

Thanks Y M,

That is actually the video I watched go setup Snort or pfsense, which was an awesome video. I remember seeing things come in like netflix. Since I have a pretty large network, I am wondering if pfsense int capturing everyone's request via Snort.... for example, I visited netflix on my computer and searched for my IP address on the alerts page and saw my request. But the next thing I did was visit Facebook and nothing showed up when viewing alerts and searching for my IP address.

On Fri, Apr 20, 2018, 2:15 PM Y M via Snort-openappid <snort-openappid at lists.snort.org<mailto:snort-openappid at lists.snort.org>> wrote:


The AppID detectors are open-source and are available on the Snort website. So I don't think the subscription is at play here. In an earlier thread, I posted a link to a YouTube video for configuring AppID on pfsense. The presenter showed that AppID is picking up Netflix, among other apps. Here is the link for the video https://youtu.be/-GgqYq5-EBg

Hope this helps.


From: Snort-openappid <snort-openappid-bounces at lists.snort.org<mailto:snort-openappid-bounces at lists.snort.org>> on behalf of Cory Juillerat <cjuillerat at ztlsd.org<mailto:cjuillerat at ztlsd.org>>
Sent: Friday, April 20, 2018 8:30 PM
To: snort-openappid at lists.snort.org<mailto:snort-openappid at lists.snort.org>
Subject: [Snort-openappid] Using Snort on pfsense

Good afternoon,

I decided to recently try Snort mainly for the App ID capability.. I work at a school so students are always using social networking apps and streaming media apps. I created the WAN interface and started the Snort process on this interface. I am using the predefined balanced IPS policy and I also placed a check in all of the check boxes underneath Snort OPENAPPI Rules and Ruleset: ET Open Rules.

Now onto the issue I am having.. When I go to the alerts tab, most of what I see is Chrome and http traffic underneath description. There are no social networking or streaming services populating, even though I know people are using them. Does the free subscription just not have the most up to date App ID's, so nothing is coming up?

Thank you,

Cory Juillerat, M.S.

Director of Technology

Phone: 740.772.7667

Email: cjuillerat at ztlsd.org<mailto:cjuillerat at ztlsd.org>

Snort-openappid mailing list
Snort-openappid at lists.snort.org<mailto:Snort-openappid at lists.snort.org>

Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20180423/071422ff/attachment.html>

More information about the Snort-openappid mailing list