[Snort-openappid] Facebook website is blocked, but the mobile app isn't.

Alan Kayahan hsykay at gmail.com
Fri Jun 15 08:02:08 EDT 2018


 ,,_     -*> Snort++ <*-
  o"  )~   Version 3.0.0 (Build 245) from 2.9.11
   ''''    By Martin Roesch & The Snort Team
           Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 2.2.2
           Using LuaJIT version 2.0.4
           Using OpenSSL 1.0.2g  1 Mar 2016
           Using libpcap version 1.7.4
           Using PCRE version 8.38 2015-11-23
           Using ZLIB version 1.2.8
           Using FlatBuffers 1.8.0
           Using Hyperscan version 4.7.0 2018-05-30
           Using LZMA version 5.1.0alpha
           +OpenAppID DB v7630

Our Snort deployment shown above is operational in inline mode with NFQ. We
use it for application recognition only, so the only enabled rules are
OpenAppID rules. The rules "drop" if a particular app is detected.

Facebook signatures don't fully work for us. The facebook page is blocked,
however the Facebook mobile app is still operational. Snort logs indicate
several hits for the rule when the app is launched, however the content
still loads and everything is functional.

Second, facebook sub-signatures such as fb_message, fb_search, do not catch
anything from the mobile app traffic. I was wondering whether these
signatures work only on unencrypted traffic; nowadays the apps work over
SSL encrypted channels and SSL pinning makes it difficult/impossible to

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20180615/5a820b8b/attachment.html>

More information about the Snort-openappid mailing list