Snort mailing list archives

OpenAppid rules explanation and behavior, Snort Inline DAQ afpacket

From: Tarek Ben Soltane via Snort-users <snort-users () lists snort org>
Date: Fri, 6 Oct 2017 14:44:01 +0100

Dear All,
I hope you are doing great.
I am running Snort 2.9.9 Inline Mode With DAQ. I am able to drop rules
correctly.
I recently installed openappid and I have created a rule to drop facebook
access such as:

"drop tcp any any -> any any (msg:"OpenAppID: Use of Facebook"; appid:
facebook; sid:100007; rev:1;)"

I am not sure if this rule is correct, But I can see the alerts on my
terminal such as:

"[Drop] [**] [1:100007:1] OpenAppID: Use of Facebook [**] [Priority: 0]
[AppID: Facebook] {TCP} 31.13.64.35:443 -> x.x.x.x:port"

Now when I open my browser and type: https://www.facebook.com
Access is NOT blocked

But when I type: https://facebook.com
Access is blocked

I just want to know if you guys witnesses that behior before?

Best regards

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

OpenAppid rules explanation and behavior, Snort Inline DAQ afpacket Tarek Ben Soltane via Snort-users (Oct 06)