[Snort-openappid] Facebook website is blocked, but the mobile app isn't.

Costas Kleopa (ckleopa) ckleopa at cisco.com
Mon Jun 18 16:45:11 EDT 2018


OK that’s good to know.

In that case, let’s make sure that you are not dealing with any bad checksums, or jumbo frames by adding the parameters: "-k none -P 9000”.
If that does not allow you to detect the Facebook mobile traffic, feel free to capture a small pcap of that traffic that is getting missed and send it to us to take a look at it.

Thanks
Costas

From: Alan Kayahan <hsykay at gmail.com>
Date: Monday, June 18, 2018 at 4:29 PM
To: "Costas Kleopa (ckleopa)" <ckleopa at cisco.com>
Cc: "snort-openappid at lists.snort.org" <snort-openappid at lists.snort.org>
Subject: Re: [Snort-openappid] Facebook website is blocked, but the mobile app isn't.

Thanks for the response Costas. We are already using OpenAppID 7630 (latest) as mentioned in the version output.

2018-06-18 17:06 GMT+02:00 Costas Kleopa (ckleopa) <ckleopa at cisco.com<mailto:ckleopa at cisco.com>>:
The Facebook Mobile app is using a different protocol for SSL in which we had to create some improvements in our latest releases.
I would suggest using the latest snort-openappid.tar.gz build from our https://snort.org/downloads website in which includes any of these fixes.

For signatures like fb_messsage, fb_search, those will not work without decrypting the traffic.

Thanks
Costas

From: Snort-openappid <snort-openappid-bounces at lists.snort.org<mailto:snort-openappid-bounces at lists.snort.org>> on behalf of Alan Kayahan via Snort-openappid <snort-openappid at lists.snort.org<mailto:snort-openappid at lists.snort.org>>
Reply-To: Alan Kayahan <hsykay at gmail.com<mailto:hsykay at gmail.com>>
Date: Friday, June 15, 2018 at 8:11 AM
To: "snort-openappid at lists.snort.org<mailto:snort-openappid at lists.snort.org>" <snort-openappid at lists.snort.org<mailto:snort-openappid at lists.snort.org>>
Subject: [Snort-openappid] Facebook website is blocked, but the mobile app isn't.

Hello,

 ,,_     -*> Snort++ <*-
  o"  )~   Version 3.0.0 (Build 245) from 2.9.11
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 2.2.2
           Using LuaJIT version 2.0.4
           Using OpenSSL 1.0.2g  1 Mar 2016
           Using libpcap version 1.7.4
           Using PCRE version 8.38 2015-11-23
           Using ZLIB version 1.2.8
           Using FlatBuffers 1.8.0
           Using Hyperscan version 4.7.0 2018-05-30
           Using LZMA version 5.1.0alpha
           +OpenAppID DB v7630

Our Snort deployment shown above is operational in inline mode with NFQ. We use it for application recognition only, so the only enabled rules are OpenAppID rules. The rules "drop" if a particular app is detected.

Facebook signatures don't fully work for us. The Facebook page is blocked, however the Facebook mobile app is still operational. Snort logs indicate several hits for the rule when the app is launched, however the content still loads and everything is functional.

Second, facebook sub-signatures such as fb_message, fb_search, do not catch anything from the mobile app traffic. I was wondering whether these signatures work only on unencrypted traffic; nowadays the apps work over SSL encrypted channels and SSL pinning makes it difficult/impossible to intercept.

Thanks,
Alan



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20180618/e13ade03/attachment-0001.html>


More information about the Snort-openappid mailing list