[Snort-openappid] Using Snort on pfsense

Cory Juillerat cjuillerat at ztlsd.org
Mon Apr 23 13:29:49 EDT 2018


Costas,

Where do you apply the settings you speak of? -k and none and -P 9000

Thank you,


Cory Juillerat, M.S.

Director of Technology

*Phone: *740.772.7667

*Email:* cjuillerat at ztlsd.org



On Mon, Apr 23, 2018 at 10:39 AM, Costas Kleopa (ckleopa) <ckleopa at cisco.com
> wrote:

> Cory,
>
>
>
> I just want to double check if you are using the “-k none” to not ignore
> traffic bad checksums and “-P 9000 “ to handle jumbo frames.
>
>
>
> If that’s already there and it’s not working, try testing it with
> something other than Facebook. Some of the traffic from Facebook is not
> using the standard TLS protocol, they have a slightly different version of
> their own in which it’s causing us not to identify it. We have an upcoming
> update on the Open Source Package which will allow us to detect the
> Facebook traffic better.
>
>
>
> Thanks
>
> Costas
>
>
>
> *From: *Snort-openappid <snort-openappid-bounces at lists.snort.org> on
> behalf of Cory Juillerat <cjuillerat at ztlsd.org>
> *Date: *Friday, April 20, 2018 at 2:28 PM
> *To: *Y M <snort at outlook.com>
> *Cc: *"snort-openappid at lists.snort.org" <snort-openappid at lists.snort.org>
> *Subject: *Re: [Snort-openappid] Using Snort on pfsense
>
>
>
> Thanks Y M,
>
>
>
> That is actually the video I watched go setup Snort or pfsense, which was
> an awesome video. I remember seeing things come in like netflix. Since I
> have a pretty large network, I am wondering if pfsense int capturing
> everyone's request via Snort.... for example, I visited netflix on my
> computer and searched for my IP address on the alerts page and saw my
> request. But the next thing I did was visit Facebook and nothing showed up
> when viewing alerts and searching for my IP address.
>
>
>
> On Fri, Apr 20, 2018, 2:15 PM Y M via Snort-openappid <
> snort-openappid at lists.snort.org> wrote:
>
> Cory,
>
>
>
> The AppID detectors are open-source and are available on the Snort
> website. So I don't think the subscription is at play here. In an earlier
> thread, I posted a link to a YouTube video for configuring AppID on
> pfsense. The presenter showed that AppID is picking up Netflix, among other
> apps. Here is the link for the video https://youtu.be/-GgqYq5-EBg
>
>
>
> Hope this helps.
>
> YM
>
>
> ------------------------------
>
> *From:* Snort-openappid <snort-openappid-bounces at lists.snort.org> on
> behalf of Cory Juillerat <cjuillerat at ztlsd.org>
> *Sent:* Friday, April 20, 2018 8:30 PM
> *To:* snort-openappid at lists.snort.org
> *Subject:* [Snort-openappid] Using Snort on pfsense
>
>
>
> Good afternoon,
>
>
>
> I decided to recently try Snort mainly for the App ID capability.. I work
> at a school so students are always using social networking apps and
> streaming media apps. I created the WAN interface and started the Snort
> process on this interface. I am using the predefined balanced IPS policy
> and I also placed a check in all of the check boxes underneath Snort
> OPENAPPI Rules and Ruleset: ET Open Rules.
>
>
>
> Now onto the issue I am having.. When I go to the alerts tab, most of what
> I see is Chrome and http traffic underneath description. There are no
> social networking or streaming services populating, even though I know
> people are using them. Does the free subscription just not have the most up
> to date App ID's, so nothing is coming up?
>
> Thank you,
>
>
>
> Cory Juillerat, M.S.
>
> Director of Technology
>
> *Phone: *740.772.7667
>
> *Email:* cjuillerat at ztlsd.org
>
>  [image:
> https://docs.google.com/uc?export=download&id=0BypS4zJkjjk0a28xcmdCTVg0emM&revid=0BypS4zJkjjk0RHQ5eVpHMm1ROUozUFUvUE1vVjdCTEpKLzVzPQ]
>
> _______________________________________________
> Snort-openappid mailing list
> Snort-openappid at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-openappid
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20180423/8fd6f9ea/attachment.html>


More information about the Snort-openappid mailing list