[Snort-openappid] Facebook website is blocked, but the mobile app isn't.

Alan Kayahan hsykay at gmail.com
Mon Jun 18 16:29:50 EDT 2018


Thanks for the response Costas. We are already using OpenAppID 7630
(latest) as mentioned in the version output.

2018-06-18 17:06 GMT+02:00 Costas Kleopa (ckleopa) <ckleopa at cisco.com>:

> The Facebook Mobile app is using a different protocol for SSL in which we
> had to create some improvements in our latest releases.
>
> I would suggest using the latest snort-openappid.tar.gz build from our
> https://snort.org/downloads website in which includes any of these fixes.
>
>
>
> For signatures like fb_messsage, fb_search, those will not work without
> decrypting the traffic.
>
>
>
> Thanks
>
> Costas
>
>
>
> *From: *Snort-openappid <snort-openappid-bounces at lists.snort.org> on
> behalf of Alan Kayahan via Snort-openappid <snort-openappid at lists.snort.
> org>
> *Reply-To: *Alan Kayahan <hsykay at gmail.com>
> *Date: *Friday, June 15, 2018 at 8:11 AM
> *To: *"snort-openappid at lists.snort.org" <snort-openappid at lists.snort.org>
> *Subject: *[Snort-openappid] Facebook website is blocked, but the mobile
> app isn't.
>
>
>
> Hello,
>
>
>
>  ,,_     -*> Snort++ <*-
>
>   o"  )~   Version 3.0.0 (Build 245) from 2.9.11
>
>    ''''    By Martin Roesch & The Snort Team
>
>            http://snort.org/contact#team
>
>            Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights
> reserved.
>
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>
>            Using DAQ version 2.2.2
>
>            Using LuaJIT version 2.0.4
>
>            Using OpenSSL 1.0.2g  1 Mar 2016
>
>            Using libpcap version 1.7.4
>
>            Using PCRE version 8.38 2015-11-23
>
>            Using ZLIB version 1.2.8
>
>            Using FlatBuffers 1.8.0
>
>            Using Hyperscan version 4.7.0 2018-05-30
>
>            Using LZMA version 5.1.0alpha
>
>            +OpenAppID DB v7630
>
>
>
> Our Snort deployment shown above is operational in inline mode with NFQ.
> We use it for application recognition only, so the only enabled rules are
> OpenAppID rules. The rules "drop" if a particular app is detected.
>
>
>
> Facebook signatures don't fully work for us. The Facebook page is blocked,
> however the Facebook mobile app is still operational. Snort logs indicate
> several hits for the rule when the app is launched, however the content
> still loads and everything is functional.
>
>
>
> Second, facebook sub-signatures such as fb_message, fb_search, do not
> catch anything from the mobile app traffic. I was wondering whether these
> signatures work only on unencrypted traffic; nowadays the apps work over
> SSL encrypted channels and SSL pinning makes it difficult/impossible to
> intercept.
>
>
>
> Thanks,
>
> Alan
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20180618/fa3778f0/attachment.html>


More information about the Snort-openappid mailing list