[Snort-openappid] OPENAPPID Custom rules to block globoplay not working

RECIMERO CESAR Fabre cesar.fabre at hc.fm.usp.br
Tue May 29 14:15:20 EDT 2018


Ok, I'll check now!!!

Tks a lot

2018-05-29 15:10 GMT-03:00 O C via Snort-openappid <
snort-openappid at lists.snort.org>:

> Using the "appid_detector_builder.sh" under the tools/ directory from
> Snort's source tarball. Review the link Costas sent earlier on how to
> create custom appid detectors: https://blog.snort.org/2014/06/openappid-
> training-videos-how-to-create.html
>
> YM
>
> ------------------------------
> *From:* RECIMERO CESAR Fabre <cesar.fabre at hc.fm.usp.br>
> *Sent:* Tuesday, May 29, 2018 9:03 PM
> *To:* O C
> *Cc:* RECIMERO CESAR Fabre via Snort-openappid
> *Subject:* Re: [Snort-openappid] OPENAPPID Custom rules to block
> globoplay not working
>
> Hi,
>
> Sorry, I did not create the custom detector in Snort. I know in pfsense
> the custom directory is located at:
>
> /usr/local/etc/snort/custom/lua
>
> How do I create the custom detector for the "globoplay"?
>
>
> I'll very happy if you help me!!!
>
>
>
> César
>
> 2018-05-29 14:22 GMT-03:00 O C via Snort-openappid <
> snort-openappid at lists.snort.org>:
>
> Was the custom detector "globoplay" created? Otherwise the custom rule is
> referencing an unidentified AppID detector, and no matches will happen.
>
> YM
> ------------------------------
> *From:* Snort-openappid <snort-openappid-bounces at lists.snort.org> on
> behalf of RECIMERO CESAR Fabre via Snort-openappid <
> snort-openappid at lists.snort.org>
> *Sent:* Tuesday, May 29, 2018 8:03 PM
> *To:* snort-openappid at lists.snort.org
> *Subject:* [Snort-openappid] OPENAPPID Custom rules to block globoplay
> not working
>
>
> Hi guys!
>
> I’m trying to block the “globoplay”, but I’m not having success on pfsense
> 2.4.3-p1. Follows the custom rule in:
>
> Snort Interfaces -> LAN Rules -> Category Selection: custom.rules
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:“globoplay”;flow:from_client;appid:globoplay;
> sid:1000055 ; classtype:misc-activity; rev:1;)
>
> I tried “drop” but it did not work!
>
> Any idea?
>
>
> tks
>
>
> --
> ************************************
> César Fabre, MSc
> NETI-HCFMUSP | CIS
> Telefone: (11) 2661-6018
>
> _______________________________________________
> Snort-openappid mailing list
> Snort-openappid at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-openappid
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
>
> --
> ************************************
> César Fabre, MSc
> NETI-HCFMUSP | CIS
> Telefone: (11) 2661-6018
>
> _______________________________________________
> Snort-openappid mailing list
> Snort-openappid at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-openappid
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>


-- 
************************************
César Fabre, MSc
NETI-HCFMUSP | CIS
Telefone: (11) 2661-6018
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20180529/92e88fa0/attachment-0001.html>


More information about the Snort-openappid mailing list