[Snort-openappid] Snort Open AppId - Not detecting Facebook via browser

Ted bugwrapper91 at gmail.com
Fri Jun 28 02:59:47 EDT 2019


Hi Payal,
 Is there a solution available for the above issue ?
Thanks & Regards
Ted

On Sat, Jun 1, 2019 at 1:06 PM Payal Gupte (pgupte) <pgupte at cisco.com>
wrote:

> Hi Ted ,
>
> We have replicated the issue and we plan on fixing it in one of our future
> updates.
>
> Thanks,
> Payal
>
> Sent from my iPhone
>
> On May 29, 2019, at 9:43 AM, Ted via Snort-openappid <
> snort-openappid at lists.snort.org> wrote:
>
> Hey Costas/Radev,
> Thanks for your reply.
>
> Costas, I have tried with what you have suggested, with -k and -P params.
> Still snort is able to identify Facebook traffic. I am attaching the PCAP
> and whole snort logs
> with this mail.
>
> Thanks
>
> On Mon, May 27, 2019 at 12:42 PM RADEV Ivan (EXT) ResgGtsSecSocVdf <
> ivan.radev-ext at socgen.com> wrote:
>
>> Hi Ted,
>>
>>
>>
>> Test the same filters with incognito window in  Firefox and Chromium and
>> share here if there is a difference. Application filtering works based on
>> the SSL handshake and your saved browser cookies are reusing your old SSL
>> sessions directly initiating encrypted messaging with the server.
>>
>> If it not this the problem, then update your app filters.
>>
>> If this also doesn’t work, then please let me know what was it when you
>> solve it 😊
>>
>>
>>
>> All the best,
>>
>> *Ivan Radev*
>>
>>
>>
>> *From:* Snort-openappid <snort-openappid-bounces at lists.snort.org> *On
>> Behalf Of *Ted via Snort-openappid
>> *Sent:* Friday, May 24, 2019 4:42 PM
>> *To:* snort-openappid at lists.snort.org
>> *Subject:* [Snort-openappid] Snort Open AppId - Not detecting Facebook
>> via browser
>>
>>
>>
>> Hi All,
>>
>>
>>
>> ,,_     -*> Snort! <*-
>>   o"  )~   Version 2.9.12 GRE (Build 325) FreeBSD
>>    ''''    By Martin Roesch & The Snort Team:
>> http://www.snort.org/contact#team
>>            Copyright (C) 2014-2018 Cisco and/or its affiliates. All
>> rights reserved.
>>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>>            Using libpcap version 1.8.1
>>            Using PCRE version: 8.42 2018-03-20
>>            Using ZLIB version: 1.2.11
>>
>>
>>
>> Our snort Deployment is like show above. We are using it for application
>> recognition, so we have enabled only Open App ID rules.
>>
>> Snort/Open App Id is able to recognise various social networking sites,
>> like twitter, linkedin etc. via Browser and Command line.
>>
>>
>>
>> But in the case of facebook.com Snort is not able to recognise the
>> traffic via Browser (tested with Firefiox and Chromium).  But by using Lynx
>> or curl Snort able to detect  the facebook.com traffic.
>>
>>
>>
>> What could be the reason for this scenario ?
>>
>>
>>
>> Open AppId rules are downloaded from pfsense repo and Latest open appid
>> is downloaded from snort website.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> =========================================================
>>
>> Ce message et toutes les pieces jointes (ci-apres le "message")
>> sont confidentiels et susceptibles de contenir des informations
>> couvertes par le secret professionnel. Ce message est etabli
>> a l'intention exclusive de ses destinataires. Toute utilisation
>> ou diffusion non autorisee interdite.
>> Tout message electronique est susceptible d'alteration. La SOCIETE
>> GENERALE
>> et ses filiales declinent toute responsabilite au titre de ce message
>> s'il a ete altere, deforme falsifie.
>>
>> =========================================================
>>
>> This message and any attachments (the "message") are confidential,
>> intended solely for the addresses, and may contain legally privileged
>> information. Any unauthorized use or dissemination is prohibited.
>> E-mails are susceptible to alteration. Neither SOCIETE GENERALE nor any
>> of its subsidiaries or affiliates shall be liable for the message
>> if altered, changed or falsified.
>>
>> =========================================================
>>
> <Debug.zip>
>
> _______________________________________________
> Snort-openappid mailing list
> Snort-openappid at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-openappid
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20190628/af3dc4a6/attachment.html>


More information about the Snort-openappid mailing list