Snort mailing list archives
OpenAppid rules explanation and behavior, Snort Inline DAQ afpacket
From: Tarek Ben Soltane via Snort-users <snort-users () lists snort org>
Date: Fri, 6 Oct 2017 14:44:01 +0100
Dear All, I hope you are doing great. I am running Snort 2.9.9 Inline Mode With DAQ. I am able to drop rules correctly. I recently installed openappid and I have created a rule to drop facebook access such as: "drop tcp any any -> any any (msg:"OpenAppID: Use of Facebook"; appid: facebook; sid:100007; rev:1;)" I am not sure if this rule is correct, But I can see the alerts on my terminal such as: "[Drop] [**] [1:100007:1] OpenAppID: Use of Facebook [**] [Priority: 0] [AppID: Facebook] {TCP} 31.13.64.35:443 -> x.x.x.x:port" Now when I open my browser and type: https://www.facebook.com Access is NOT blocked But when I type: https://facebook.com Access is blocked I just want to know if you guys witnesses that behior before? Best regards
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- OpenAppid rules explanation and behavior, Snort Inline DAQ afpacket Tarek Ben Soltane via Snort-users (Oct 06)