Snort mailing list archives
Re: Prevent VPN
From: "Shravan Rangarajuvenkata \(shrarang\) via Snort-devel" <snort-devel () lists snort org>
Date: Mon, 26 Jul 2021 08:49:21 +0000
AppId supports detection of various VPN applications such as Monster VPN, OpenVPN, ibVPN, etc. You can look at all the VPN applications AppId supports at https://appid.cisco.com or in the appMapping.data that is included in the Open Detector Package. You can create an IPS rule to block an application. Here’s an example Lua file that blocks Monster VPN: local_rules = [[ block tcp any any -> any any ( msg:"block "; appids:"Monster VPN"; sid:1; ) ]] stream = {} stream_tcp = {} appid = { app_detector_dir = <path_to_open_detector_package>, } ips = { rules = local_rules, } Note that the string used in “appids” field in the rule above should exactly match the string in second column in appMapping.data. Hope that helps. Thanks, Shravan From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Biji Prathap via Snort-devel <snort-devel () lists snort org> Date: Saturday, July 17, 2021 at 10:53 AM To: snort-devel () lists snort org <snort-devel () lists snort org> Subject: [Snort-devel] Prevent VPN I am using snort to maintain my home network . Users have been bypassing the network restrictions using VPN. I am ready to write the required lua scripts for openappid to prevent VPN. Is there any information with regard to preventing VpN using openappid ? Any guidance will be appreciated..
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Prevent VPN Biji Prathap via Snort-devel (Jul 16)
- Re: Prevent VPN Shravan Rangarajuvenkata (shrarang) via Snort-devel (Jul 26)