07-11-2016 09:04 PM
With the rise in popularity of the new Pokemon GO app, has anyone had the opportunity to build a signature or possibly even gather a pcap of the traffic that could be shared (the site is not allowing signups right now so I am unable to produce my own test traffic to collect).
I have received complaints from as high as our CIO, that too many people are walking around playing this game and we need to report on it and block is ASAP.
Any help is appreciated,
-adam
07-13-2016 05:39 AM - edited 07-13-2016 05:39 AM
Hello,
From my research you can block the domain pgorelease.nianticlabs.com and the clients will not be able to reach out to the server to play the game. This does not however stop the employee from using their mobile data plan to continue playing the game.
Regards,
Tyler
07-12-2016 08:50 PM
Hi,
I haven't seen the game's traffic since it hasn't been released yet in Canada, but the developer's previous game called Ingress relies heavily on Google API. You might have a hard time identifying the application without decrypting the traffic.
Regards,
Benjamin
07-13-2016 05:39 AM - edited 07-13-2016 05:39 AM
Hello,
From my research you can block the domain pgorelease.nianticlabs.com and the clients will not be able to reach out to the server to play the game. This does not however stop the employee from using their mobile data plan to continue playing the game.
Regards,
Tyler
07-13-2016 06:31 AM
Thanks for all the feedback. I can confirm that I also see the app attempting to use the following URLs:
pgorelease.nianticlabs.com
- Using a *.nianticlabs.com certificate
appload.ingest.crittercism.com
- Using a *.ingest.critterciscm.com certificate
The latter URL appears to be a third party app analytics company. I've yet to receive an executive order to authorize blocking, but I believe tboire is likely correct that blocking the Niantic URL will prevent connections. Should I get approval to block, that is my next course of action.
Thanks everyone.
06-18-2017 09:44 PM
Hi @aelmore @tboire @BenjAudy.MTL
I know I am late in this thread, but I wanted to share this two options with you all.
Option 1: URL filtering
Simply blacklist the following url: pgorelease.nianticlabs.com (this is used to make API calls by the APP)
Option 2: Create a custom application which looks for the SNI string
set application pokemon-go default port tcp/443
set application pokemon-go signature PG-SSL and-condition "And Condition 1" or-condition "Or Condition 1" operator pattern-match pattern pgorelease.nianticlabs.com
set application pokemon-go signature PG-SSL and-condition "And Condition 1" or-condition "Or Condition 1" operator pattern-match context ssl-req-client-hello
set application pokemon-go signature PG-SSL scope protocol-data-unit
set application pokemon-go signature PG-SSL order-free no
set application pokemon-go signature PG-SSL comment “Pattern match against the SNI for Pokemon Go"
set application pokemon-go category media
set application pokemon-go subcategory gaming
set application pokemon-go technology client-server
set application pokemon-go description "Pokemon Go is a social game released in 2016 by Niantic Labs."
set application pokemon-go risk 1
set application pokemon-go parent-app ssl
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
