[Snort-openappid] Using Snort on pfsense

Cory Juillerat cjuillerat at ztlsd.org
Tue Apr 24 08:06:51 EDT 2018


Thanks for letting us know and thank you for your timely response. Greatly
appreciated.

Thank you,


Cory Juillerat, M.S.

Director of Technology

*Phone: *740.772.7667

*Email:* cjuillerat at ztlsd.org



On Mon, Apr 23, 2018 at 8:54 PM, Costas Kleopa (ckleopa) <ckleopa at cisco.com>
wrote:

> Unfortunately from what I saw on the pfsense samples they have integrated
> the alerts feature of snort to log the application being detected. The
> alerts is not programmed to be used just once per session, you can actually
> have multiple alerts within the same session, which is what it seems to be
> happening based on your description.
>
> We currently don’t have a better way of handling this ourselves but when
> we do, we plan to share the results/changes so other open source tools like
> the pfsense router can use them instead, for reducing the amount of events
> the alerts show.
>
> Thanks,
> Costas
>
> On Apr 23, 2018, at 3:40 PM, Cory Juillerat <cjuillerat at ztlsd.org> wrote:
>
> Since I am on a large network, when I view the alerts tab, I may see 50
> rows of the same IP address that keeps using openvpn. Then 50 rows of
> another ip address that is using chrome, or http. How do I see less of the
> same IP address so I can see more IP addresses and how can I see more
> applications such as applications that are in the streaming media or social
> networking lists? I think ntopng shows more than the alerts tab does with
> Snort.
>
> Thank you,
>
>
> Cory Juillerat, M.S.
>
> Director of Technology
>
> *Phone: *740.772.7667
>
> *Email:* cjuillerat at ztlsd.org
>
>
>
> On Mon, Apr 23, 2018 at 2:13 PM, Costas Kleopa (ckleopa) <
> ckleopa at cisco.com> wrote:
>
>> OK in that case unfortunately we are not sure how the pfsense router has
>> configured snort internally.
>>
>> You may have to check its configurations internally or reach out to the
>> pfsense team themselves.
>>
>>
>>
>> *From: *Cory Juillerat <cjuillerat at ztlsd.org>
>> *Date: *Monday, April 23, 2018 at 1:33 PM
>> *To: *"Costas Kleopa (ckleopa)" <ckleopa at cisco.com>
>> *Cc: *Y M <snort at outlook.com>, "snort-openappid at lists.snort.org" <
>> snort-openappid at lists.snort.org>
>> *Subject: *Re: [Snort-openappid] Using Snort on pfsense
>>
>>
>>
>> I am not using the command line, I am using Snort on pfsense
>>
>>
>> Thank you,
>>
>>
>>
>> Cory Juillerat, M.S.
>>
>> Director of Technology
>>
>> *Phone: *740.772.7667
>>
>> *Email:* cjuillerat at ztlsd.org
>>
>>  [image:
>> https://docs.google.com/uc?export=download&id=0BypS4zJkjjk0a28xcmdCTVg0emM&revid=0BypS4zJkjjk0RHQ5eVpHMm1ROUozUFUvUE1vVjdCTEpKLzVzPQ]
>>
>>
>>
>> On Mon, Apr 23, 2018 at 1:32 PM, Costas Kleopa (ckleopa) <
>> ckleopa at cisco.com> wrote:
>>
>> Those will need to be added as arguments in your snort command line.
>>
>>
>>
>> *From: *Cory Juillerat <cjuillerat at ztlsd.org>
>> *Date: *Monday, April 23, 2018 at 1:29 PM
>> *To: *"Costas Kleopa (ckleopa)" <ckleopa at cisco.com>
>> *Cc: *Y M <snort at outlook.com>, "snort-openappid at lists.snort.org" <
>> snort-openappid at lists.snort.org>
>> *Subject: *Re: [Snort-openappid] Using Snort on pfsense
>>
>>
>>
>> Costas,
>>
>>
>>
>> Where do you apply the settings you speak of? -k and none and -P 9000
>>
>>
>> Thank you,
>>
>>
>>
>> Cory Juillerat, M.S.
>>
>> Director of Technology
>>
>> *Phone: *740.772.7667
>>
>> *Email:* cjuillerat at ztlsd.org
>>
>>  [image:
>> https://docs.google.com/uc?export=download&id=0BypS4zJkjjk0a28xcmdCTVg0emM&revid=0BypS4zJkjjk0RHQ5eVpHMm1ROUozUFUvUE1vVjdCTEpKLzVzPQ]
>>
>>
>>
>> On Mon, Apr 23, 2018 at 10:39 AM, Costas Kleopa (ckleopa) <
>> ckleopa at cisco.com> wrote:
>>
>> Cory,
>>
>>
>>
>> I just want to double check if you are using the “-k none” to not ignore
>> traffic bad checksums and “-P 9000 “ to handle jumbo frames.
>>
>>
>>
>> If that’s already there and it’s not working, try testing it with
>> something other than Facebook. Some of the traffic from Facebook is not
>> using the standard TLS protocol, they have a slightly different version of
>> their own in which it’s causing us not to identify it. We have an upcoming
>> update on the Open Source Package which will allow us to detect the
>> Facebook traffic better.
>>
>>
>>
>> Thanks
>>
>> Costas
>>
>>
>>
>> *From: *Snort-openappid <snort-openappid-bounces at lists.snort.org> on
>> behalf of Cory Juillerat <cjuillerat at ztlsd.org>
>> *Date: *Friday, April 20, 2018 at 2:28 PM
>> *To: *Y M <snort at outlook.com>
>> *Cc: *"snort-openappid at lists.snort.org" <snort-openappid at lists.snort.org>
>> *Subject: *Re: [Snort-openappid] Using Snort on pfsense
>>
>>
>>
>> Thanks Y M,
>>
>>
>>
>> That is actually the video I watched go setup Snort or pfsense, which was
>> an awesome video. I remember seeing things come in like netflix. Since I
>> have a pretty large network, I am wondering if pfsense int capturing
>> everyone's request via Snort.... for example, I visited netflix on my
>> computer and searched for my IP address on the alerts page and saw my
>> request. But the next thing I did was visit Facebook and nothing showed up
>> when viewing alerts and searching for my IP address.
>>
>>
>>
>> On Fri, Apr 20, 2018, 2:15 PM Y M via Snort-openappid <
>> snort-openappid at lists.snort.org> wrote:
>>
>> Cory,
>>
>>
>>
>> The AppID detectors are open-source and are available on the Snort
>> website. So I don't think the subscription is at play here. In an earlier
>> thread, I posted a link to a YouTube video for configuring AppID on
>> pfsense. The presenter showed that AppID is picking up Netflix, among other
>> apps. Here is the link for the video https://youtu.be/-GgqYq5-EBg
>>
>>
>>
>> Hope this helps.
>>
>> YM
>>
>>
>> ------------------------------
>>
>> *From:* Snort-openappid <snort-openappid-bounces at lists.snort.org> on
>> behalf of Cory Juillerat <cjuillerat at ztlsd.org>
>> *Sent:* Friday, April 20, 2018 8:30 PM
>> *To:* snort-openappid at lists.snort.org
>> *Subject:* [Snort-openappid] Using Snort on pfsense
>>
>>
>>
>> Good afternoon,
>>
>>
>>
>> I decided to recently try Snort mainly for the App ID capability.. I work
>> at a school so students are always using social networking apps and
>> streaming media apps. I created the WAN interface and started the Snort
>> process on this interface. I am using the predefined balanced IPS policy
>> and I also placed a check in all of the check boxes underneath Snort
>> OPENAPPI Rules and Ruleset: ET Open Rules.
>>
>>
>>
>> Now onto the issue I am having.. When I go to the alerts tab, most of
>> what I see is Chrome and http traffic underneath description. There are no
>> social networking or streaming services populating, even though I know
>> people are using them. Does the free subscription just not have the most up
>> to date App ID's, so nothing is coming up?
>>
>> Thank you,
>>
>>
>>
>> Cory Juillerat, M.S.
>>
>> Director of Technology
>>
>> *Phone: *740.772.7667
>>
>> *Email:* cjuillerat at ztlsd.org
>>
>>  [image:
>> https://docs.google.com/uc?export=download&id=0BypS4zJkjjk0a28xcmdCTVg0emM&revid=0BypS4zJkjjk0RHQ5eVpHMm1ROUozUFUvUE1vVjdCTEpKLzVzPQ]
>>
>> _______________________________________________
>> Snort-openappid mailing list
>> Snort-openappid at lists.snort.org
>> https://lists.snort.org/mailman/listinfo/snort-openappid
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>>
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20180424/d90712bf/attachment-0001.html>


More information about the Snort-openappid mailing list