[Snort-openappid] Snort Open AppId - Not detecting Facebook via browser

Payal Gupte (pgupte) pgupte at cisco.com
Sat Jun 1 03:36:16 EDT 2019


Hi Ted ,

We have replicated the issue and we plan on fixing it in one of our future updates.

Thanks,
Payal

Sent from my iPhone

On May 29, 2019, at 9:43 AM, Ted via Snort-openappid <snort-openappid at lists.snort.org<mailto:snort-openappid at lists.snort.org>> wrote:

Hey Costas/Radev,
Thanks for your reply.

Costas, I have tried with what you have suggested, with -k and -P params. Still snort is able to identify Facebook traffic. I am attaching the PCAP and whole snort logs
with this mail.

Thanks

On Mon, May 27, 2019 at 12:42 PM RADEV Ivan (EXT) ResgGtsSecSocVdf <ivan.radev-ext at socgen.com<mailto:ivan.radev-ext at socgen.com>> wrote:
Hi Ted,

Test the same filters with incognito window in  Firefox and Chromium and share here if there is a difference. Application filtering works based on the SSL handshake and your saved browser cookies are reusing your old SSL sessions directly initiating encrypted messaging with the server.
If it not this the problem, then update your app filters.
If this also doesn’t work, then please let me know what was it when you solve it 😊

All the best,
Ivan Radev

From: Snort-openappid <snort-openappid-bounces at lists.snort.org<mailto:snort-openappid-bounces at lists.snort.org>> On Behalf Of Ted via Snort-openappid
Sent: Friday, May 24, 2019 4:42 PM
To: snort-openappid at lists.snort.org<mailto:snort-openappid at lists.snort.org>
Subject: [Snort-openappid] Snort Open AppId - Not detecting Facebook via browser

Hi All,

,,_     -*> Snort! <*-
  o"  )~   Version 2.9.12 GRE (Build 325) FreeBSD
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.8.1
           Using PCRE version: 8.42 2018-03-20
           Using ZLIB version: 1.2.11

Our snort Deployment is like show above. We are using it for application recognition, so we have enabled only Open App ID rules.
Snort/Open App Id is able to recognise various social networking sites, like twitter, linkedin etc. via Browser and Command line.

But in the case of facebook.com<http://facebook.com> Snort is not able to recognise the traffic via Browser (tested with Firefiox and Chromium).  But by using Lynx or curl Snort able to detect  the facebook.com<http://facebook.com> traffic.

What could be the reason for this scenario ?

Open AppId rules are downloaded from pfsense repo and Latest open appid is downloaded from snort website.





=========================================================

Ce message et toutes les pieces jointes (ci-apres le "message")
sont confidentiels et susceptibles de contenir des informations
couvertes par le secret professionnel. Ce message est etabli
a l'intention exclusive de ses destinataires. Toute utilisation
ou diffusion non autorisee interdite.
Tout message electronique est susceptible d'alteration. La SOCIETE GENERALE
et ses filiales declinent toute responsabilite au titre de ce message
s'il a ete altere, deforme falsifie.

=========================================================

This message and any attachments (the "message") are confidential,
intended solely for the addresses, and may contain legally privileged
information. Any unauthorized use or dissemination is prohibited.
E-mails are susceptible to alteration. Neither SOCIETE GENERALE nor any
of its subsidiaries or affiliates shall be liable for the message
if altered, changed or falsified.

=========================================================

<Debug.zip>
_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.snort.org<mailto:Snort-openappid at lists.snort.org>
https://lists.snort.org/mailman/listinfo/snort-openappid

Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20190601/3b1aa151/attachment.html>


More information about the Snort-openappid mailing list