[Snort-openappid] OPENAPPID Custom rules to block globoplay not working

O C snort at outlook.com
Tue May 29 14:10:11 EDT 2018


Using the "appid_detector_builder.sh" under the tools/ directory from Snort's source tarball. Review the link Costas sent earlier on how to create custom appid detectors: https://blog.snort.org/2014/06/openappid-training-videos-how-to-create.html

YM

________________________________
From: RECIMERO CESAR Fabre <cesar.fabre at hc.fm.usp.br>
Sent: Tuesday, May 29, 2018 9:03 PM
To: O C
Cc: RECIMERO CESAR Fabre via Snort-openappid
Subject: Re: [Snort-openappid] OPENAPPID Custom rules to block globoplay not working

Hi,

Sorry, I did not create the custom detector in Snort. I know in pfsense the custom directory is located at:

/usr/local/etc/snort/custom/lua

How do I create the custom detector for the "globoplay"?


I'll very happy if you help me!!!



César

2018-05-29 14:22 GMT-03:00 O C via Snort-openappid <snort-openappid at lists.snort.org<mailto:snort-openappid at lists.snort.org>>:
Was the custom detector "globoplay" created? Otherwise the custom rule is referencing an unidentified AppID detector, and no matches will happen.

YM
________________________________
From: Snort-openappid <snort-openappid-bounces at lists.snort.org<mailto:snort-openappid-bounces at lists.snort.org>> on behalf of RECIMERO CESAR Fabre via Snort-openappid <snort-openappid at lists.snort.org<mailto:snort-openappid at lists.snort.org>>
Sent: Tuesday, May 29, 2018 8:03 PM
To: snort-openappid at lists.snort.org<mailto:snort-openappid at lists.snort.org>
Subject: [Snort-openappid] OPENAPPID Custom rules to block globoplay not working


Hi guys!

I’m trying to block the “globoplay”, but I’m not having success on pfsense 2.4.3-p1. Follows the custom rule in:

Snort Interfaces -> LAN Rules -> Category Selection: custom.rules

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:“globoplay”;flow:from_client;appid:globoplay; sid:1000055 ; classtype:misc-activity; rev:1;)

I tried “drop” but it did not work!

Any idea?


tks


--
************************************
César Fabre, MSc
NETI-HCFMUSP | CIS
Telefone: (11) 2661-6018

_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.snort.org<mailto:Snort-openappid at lists.snort.org>
https://lists.snort.org/mailman/listinfo/snort-openappid

Please visit http://blog.snort.org to stay current on all the latest Snort news!




--
************************************
César Fabre, MSc
NETI-HCFMUSP | CIS
Telefone: (11) 2661-6018
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20180529/bf18a43c/attachment.html>


More information about the Snort-openappid mailing list