Re: Prevent VPN

["Shravan Rangarajuvenkata \(shrarang\) via Snort-devel" <snort-devel () lists snort org>]

AppId supports detection of various VPN applications such as Monster VPN, OpenVPN, ibVPN, etc. You can look at all the 
VPN applications AppId supports at https://appid.cisco.com or in the appMapping.data that is included in the Open 
Detector Package.

You can create an IPS rule to block an application. Here’s an example Lua file that blocks Monster VPN:


local_rules =

[[

block tcp any any -> any any ( msg:"block "; appids:"Monster VPN"; sid:1; )

]]



stream = {}

stream_tcp = {}



appid =

{

    app_detector_dir = <path_to_open_detector_package>,

}



ips =

{

    rules = local_rules,

}


Note that the string used in “appids” field in the rule above should exactly match the string in second column in 
appMapping.data.

Hope that helps.

Thanks,
Shravan

From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Biji Prathap via Snort-devel <snort-devel () 
lists snort org>
Date: Saturday, July 17, 2021 at 10:53 AM
To: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: [Snort-devel] Prevent VPN
I am using snort to maintain my home network . Users have been bypassing the network restrictions using VPN. I am ready 
to write the required lua scripts  for openappid to prevent VPN. Is there any information with regard to preventing VpN 
 using openappid ? Any guidance will be appreciated..

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!