[Snort-openappid] Facebook website is blocked, but the mobile app isn't.

Costas Kleopa (ckleopa) ckleopa at cisco.com
Mon Jun 18 11:06:19 EDT 2018

The Facebook Mobile app is using a different protocol for SSL in which we had to create some improvements in our latest releases.
I would suggest using the latest snort-openappid.tar.gz build from our https://snort.org/downloads website in which includes any of these fixes.

For signatures like fb_messsage, fb_search, those will not work without decrypting the traffic.


From: Snort-openappid <snort-openappid-bounces at lists.snort.org> on behalf of Alan Kayahan via Snort-openappid <snort-openappid at lists.snort.org>
Reply-To: Alan Kayahan <hsykay at gmail.com>
Date: Friday, June 15, 2018 at 8:11 AM
To: "snort-openappid at lists.snort.org" <snort-openappid at lists.snort.org>
Subject: [Snort-openappid] Facebook website is blocked, but the mobile app isn't.


 ,,_     -*> Snort++ <*-
  o"  )~   Version 3.0.0 (Build 245) from 2.9.11
   ''''    By Martin Roesch & The Snort Team
           Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 2.2.2
           Using LuaJIT version 2.0.4
           Using OpenSSL 1.0.2g  1 Mar 2016
           Using libpcap version 1.7.4
           Using PCRE version 8.38 2015-11-23
           Using ZLIB version 1.2.8
           Using FlatBuffers 1.8.0
           Using Hyperscan version 4.7.0 2018-05-30
           Using LZMA version 5.1.0alpha
           +OpenAppID DB v7630

Our Snort deployment shown above is operational in inline mode with NFQ. We use it for application recognition only, so the only enabled rules are OpenAppID rules. The rules "drop" if a particular app is detected.

Facebook signatures don't fully work for us. The Facebook page is blocked, however the Facebook mobile app is still operational. Snort logs indicate several hits for the rule when the app is launched, however the content still loads and everything is functional.

Second, facebook sub-signatures such as fb_message, fb_search, do not catch anything from the mobile app traffic. I was wondering whether these signatures work only on unencrypted traffic; nowadays the apps work over SSL encrypted channels and SSL pinning makes it difficult/impossible to intercept.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20180618/a855a51b/attachment.html>

More information about the Snort-openappid mailing list