[Snort-openappid] Using Snort on pfsense

Costas Kleopa (ckleopa) ckleopa at cisco.com
Mon Apr 23 20:54:47 EDT 2018


Unfortunately from what I saw on the pfsense samples they have integrated the alerts feature of snort to log the application being detected. The alerts is not programmed to be used just once per session, you can actually have multiple alerts within the same session, which is what it seems to be happening based on your description.

We currently don’t have a better way of handling this ourselves but when we do, we plan to share the results/changes so other open source tools like the pfsense router can use them instead, for reducing the amount of events the alerts show.

Thanks,
Costas

On Apr 23, 2018, at 3:40 PM, Cory Juillerat <cjuillerat at ztlsd.org<mailto:cjuillerat at ztlsd.org>> wrote:

Since I am on a large network, when I view the alerts tab, I may see 50 rows of the same IP address that keeps using openvpn. Then 50 rows of another ip address that is using chrome, or http. How do I see less of the same IP address so I can see more IP addresses and how can I see more applications such as applications that are in the streaming media or social networking lists? I think ntopng shows more than the alerts tab does with Snort.


Thank you,


Cory Juillerat, M.S.

Director of Technology

Phone: 740.772.7667

Email: cjuillerat at ztlsd.org<mailto:cjuillerat at ztlsd.org>

 [https://docs.google.com/uc?export=download&id=0BypS4zJkjjk0a28xcmdCTVg0emM&revid=0BypS4zJkjjk0RHQ5eVpHMm1ROUozUFUvUE1vVjdCTEpKLzVzPQ]

On Mon, Apr 23, 2018 at 2:13 PM, Costas Kleopa (ckleopa) <ckleopa at cisco.com<mailto:ckleopa at cisco.com>> wrote:
OK in that case unfortunately we are not sure how the pfsense router has configured snort internally.
You may have to check its configurations internally or reach out to the pfsense team themselves.

From: Cory Juillerat <cjuillerat at ztlsd.org<mailto:cjuillerat at ztlsd.org>>
Date: Monday, April 23, 2018 at 1:33 PM
To: "Costas Kleopa (ckleopa)" <ckleopa at cisco.com<mailto:ckleopa at cisco.com>>
Cc: Y M <snort at outlook.com<mailto:snort at outlook.com>>, "snort-openappid at lists.snort.org<mailto:snort-openappid at lists.snort.org>" <snort-openappid at lists.snort.org<mailto:snort-openappid at lists.snort.org>>
Subject: Re: [Snort-openappid] Using Snort on pfsense

I am not using the command line, I am using Snort on pfsense


Thank you,



Cory Juillerat, M.S.

Director of Technology

Phone: 740.772.7667

Email: cjuillerat at ztlsd.org<mailto:cjuillerat at ztlsd.org>

 [https://docs.google.com/uc?export=download&id=0BypS4zJkjjk0a28xcmdCTVg0emM&revid=0BypS4zJkjjk0RHQ5eVpHMm1ROUozUFUvUE1vVjdCTEpKLzVzPQ]

On Mon, Apr 23, 2018 at 1:32 PM, Costas Kleopa (ckleopa) <ckleopa at cisco.com<mailto:ckleopa at cisco.com>> wrote:
Those will need to be added as arguments in your snort command line.

From: Cory Juillerat <cjuillerat at ztlsd.org<mailto:cjuillerat at ztlsd.org>>
Date: Monday, April 23, 2018 at 1:29 PM
To: "Costas Kleopa (ckleopa)" <ckleopa at cisco.com<mailto:ckleopa at cisco.com>>
Cc: Y M <snort at outlook.com<mailto:snort at outlook.com>>, "snort-openappid at lists.snort.org<mailto:snort-openappid at lists.snort.org>" <snort-openappid at lists.snort.org<mailto:snort-openappid at lists.snort.org>>
Subject: Re: [Snort-openappid] Using Snort on pfsense

Costas,

Where do you apply the settings you speak of? -k and none and -P 9000


Thank you,



Cory Juillerat, M.S.

Director of Technology

Phone: 740.772.7667

Email: cjuillerat at ztlsd.org<mailto:cjuillerat at ztlsd.org>

 [https://docs.google.com/uc?export=download&id=0BypS4zJkjjk0a28xcmdCTVg0emM&revid=0BypS4zJkjjk0RHQ5eVpHMm1ROUozUFUvUE1vVjdCTEpKLzVzPQ]

On Mon, Apr 23, 2018 at 10:39 AM, Costas Kleopa (ckleopa) <ckleopa at cisco.com<mailto:ckleopa at cisco.com>> wrote:
Cory,

I just want to double check if you are using the “-k none” to not ignore traffic bad checksums and “-P 9000 “ to handle jumbo frames.

If that’s already there and it’s not working, try testing it with something other than Facebook. Some of the traffic from Facebook is not using the standard TLS protocol, they have a slightly different version of their own in which it’s causing us not to identify it. We have an upcoming update on the Open Source Package which will allow us to detect the Facebook traffic better.

Thanks
Costas

From: Snort-openappid <snort-openappid-bounces at lists.snort.org<mailto:snort-openappid-bounces at lists.snort.org>> on behalf of Cory Juillerat <cjuillerat at ztlsd.org<mailto:cjuillerat at ztlsd.org>>
Date: Friday, April 20, 2018 at 2:28 PM
To: Y M <snort at outlook.com<mailto:snort at outlook.com>>
Cc: "snort-openappid at lists.snort.org<mailto:snort-openappid at lists.snort.org>" <snort-openappid at lists.snort.org<mailto:snort-openappid at lists.snort.org>>
Subject: Re: [Snort-openappid] Using Snort on pfsense

Thanks Y M,

That is actually the video I watched go setup Snort or pfsense, which was an awesome video. I remember seeing things come in like netflix. Since I have a pretty large network, I am wondering if pfsense int capturing everyone's request via Snort.... for example, I visited netflix on my computer and searched for my IP address on the alerts page and saw my request. But the next thing I did was visit Facebook and nothing showed up when viewing alerts and searching for my IP address.

On Fri, Apr 20, 2018, 2:15 PM Y M via Snort-openappid <snort-openappid at lists.snort.org<mailto:snort-openappid at lists.snort.org>> wrote:

Cory,



The AppID detectors are open-source and are available on the Snort website. So I don't think the subscription is at play here. In an earlier thread, I posted a link to a YouTube video for configuring AppID on pfsense. The presenter showed that AppID is picking up Netflix, among other apps. Here is the link for the video https://youtu.be/-GgqYq5-EBg


Hope this helps.

YM

________________________________
From: Snort-openappid <snort-openappid-bounces at lists.snort.org<mailto:snort-openappid-bounces at lists.snort.org>> on behalf of Cory Juillerat <cjuillerat at ztlsd.org<mailto:cjuillerat at ztlsd.org>>
Sent: Friday, April 20, 2018 8:30 PM
To: snort-openappid at lists.snort.org<mailto:snort-openappid at lists.snort.org>
Subject: [Snort-openappid] Using Snort on pfsense

Good afternoon,

I decided to recently try Snort mainly for the App ID capability.. I work at a school so students are always using social networking apps and streaming media apps. I created the WAN interface and started the Snort process on this interface. I am using the predefined balanced IPS policy and I also placed a check in all of the check boxes underneath Snort OPENAPPI Rules and Ruleset: ET Open Rules.

Now onto the issue I am having.. When I go to the alerts tab, most of what I see is Chrome and http traffic underneath description. There are no social networking or streaming services populating, even though I know people are using them. Does the free subscription just not have the most up to date App ID's, so nothing is coming up?

Thank you,



Cory Juillerat, M.S.

Director of Technology

Phone: 740.772.7667

Email: cjuillerat at ztlsd.org<mailto:cjuillerat at ztlsd.org>

 [https://docs.google.com/uc?export=download&id=0BypS4zJkjjk0a28xcmdCTVg0emM&revid=0BypS4zJkjjk0RHQ5eVpHMm1ROUozUFUvUE1vVjdCTEpKLzVzPQ]
_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.snort.org<mailto:Snort-openappid at lists.snort.org>
https://lists.snort.org/mailman/listinfo/snort-openappid

Please visit http://blog.snort.org to stay current on all the latest Snort news!



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20180424/4d8e6b46/attachment-0001.html>


More information about the Snort-openappid mailing list