look like your machine making normal domain name queries to ns3.google.com

Hi

At my Snort > Preprocessors and Flow > LAN > Portscan Detection

Enable: X
Protocol: all
Scan Type: all
Sensitivity: medium
Memory Cap: 10000000
Ignore Scanners:
Ignore Scanned:

I did a nmpap scan over the pfSense LAN IP:

nmap -T4 -A -v 192.168.0.254

…
Discovered open port 443/tcp on 192.168.0.254
Discovered open port 53/tcp on 192.168.0.254
Discovered open port 22/tcp on 192.168.0.254
...

And at Snort, LAN alerts:

2016-11-17
20:37:39 3 TCP Unknown Traffic 192.168.0.254
  8081 192.168.0.12
  51052 120:3
  (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
2016-11-17
20:37:10 3 TCP Unknown Traffic 192.168.0.254
  8081 192.168.0.12
  50965 120:3
  (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

And other nmap scan from one host at LAN to remote host at Inet, none alert!!!

OK, I will try what you say …

Regards

Same traffic.

Fresh squid install, pf 2.3.2, squid 0.4.23_1

Antivirus breaks the internet with the aforementioned error message on numerous sites (most, actually)

Tried to run the a/v update, get this in the realtime tab:

WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.sock: No such file or directory

a/v disabled for now, which is really too bad…...

What ttblum post is all you really need and everything else is self explanatory but here is the pass list:

https://doc.pfsense.org/index.php/Snort_passlist

First I try to answer your questions in your first post:

1, E.g. Imagine one day a zero day vulnerability is discovered in the openvpn software. With your updated snort ruleset you can protect your unpatched device against disclosing this vulnerability.

2, The example above applies here again. Because the manner TCP connections work snort will block the answer (reply to a LAN connection) coming to your WAN interface if a rule is matching the packet. So in this situation it "doesn't matter" whether a port is closed on your firewall or not.

3, E.g. You accidently or by mistake click to a link in an email message that points to a crypto malware file that would encrypt your whole disk. Snort will block the connection and save you from a catastrophic situation.

4, Pfblockerng will broaden the IPS function by blocking known malicious, attacking IP addresses and DNS addresses thus further protecting your network against malware, spam, ransomware and other threats.

As far as I can tell by reading your second post, that you are not sure why to protect the traffic coming from the LAN interface.
Your network could be attacked not just from the Internet. E.g. someone connects an infected USB drive to a computer in your network which spreads over all the machines. This infection could send private data out of your network BUT snort could block this too.

The source on mine was the yoyo adserver list I had enabled in pfblockerNG package.

omg, i have been getting a similar trojan alert and its driving me mad trying to work out where it is coming from

https://forum.pfsense.org/index.php?topic=121123.0

i also have ublock origin, but my snort rule is only showing src as WAN. now how can i tell if this is a false positive if i cant find the local ip

Hi.

I do not know if tthis akamai server is compromised. But you can submit the "false positive" (or bug) to Snort if you have a registred user in community::
https://www.snort.org/community#submit_bug

Regards.

In other words : unchecking Local Networks from the pass list seems to have no effect.  :(
Could it be a cosmetic issue, while clicking "View list"  ? (don't think so…)
Also tried to overload HOME_NET value in Advanced Configuration Pass-Through, but Advanced Configuration Pass-Through seems to be broken too (encoded while config is saved).  :(

I am guessing it's probably your IPS policy you have set or you have set it to balanced. If not check it out and just manually set the ones you want.

Hi.

More about … :)

@BBcan177:

I have tried to do this in postfix but couldn't find a solution, so I ended up adding a custom rule to Snort…

Getting hit by a usually EHLO  ylmf-pc  (Chinese OS)

Snort won't block it fast enough to prevent a couple login attempts, but it will stop an IP after about three attempts. This is because currently Snort is acting on a copy of the packet.

alert tcp $EXTERNAL_NET any -> any 25 (msg:"SMTP EHLO from ylmf-pc attempt"; threshold: type limit, track by_src, count 1, seconds 60; content:"ylmf-pc"; nocase; classtype:suspicious-login; sid:9000032; rev:2;)

Rgards.

Hi

I see your need some thing more f.

Try it create a custom rules in Snort for pass the traffic with dst 192.168.1.9 port 65000 and block the rest.

alert tcp any any -> !192.168.1.9/32 65000 (msg:"IgnoreIPtcp";  sid:9000001; classtype:misc-activity; rev:1;) alert udp any any -> !192.168.1.9/32 65000 (msg:"IgnoreIPudp";  sid:9000002; classtype:misc-activity; rev:1;)

Regards

@jgkpffrm:

connect to the pfsense server with filezilla and go to /var/log/snort/<interface>/ 
download snort.log.xxxxx
turn off ssh
Run Wireshark and look at the data</interface>

What you mean is to use wireshark on a local PC and run an analyzer-session against the log-file (snort.log.xxxx)?

Does this mean that snort.log.xxxx in reality has all the data, it is just more readable through WireShark?

From:

https://forum.pfsense.org/index.php?topic=91438.msg506088#msg506088

@fsansfil:

They are covered in ET Trojan Rules. Have a look.

F.

If I read the above correctly it is already available?

Just to update, I have used a BPF file to bypass Snort on the media ports to the VOIP hosts.

This has resolved the CPU issue, although this is a workaround rather than a fix so I would still appreciate any input.

To achieve this I created /etc/snort.bpf with the following contents

not (host 10.0.200.161 and udp portrange 16384-32768)

and added the following line to the advanced configuration pass-through

config bpf_file: /etc/snort.bpf

saved the configuration and restarted snort. Now calls do not hog the CPU.

We have a somewhat similar problem. We have several external IP addresses, one for mail, one for our web server and one for everything else. We would like snort to scan and block two of the three official IP-addresses and leave the third untouched or better phrased unscanned.

I have no real Idea how to do that. At first I thought I can put the IP which should not be scanned out of the home net or external net but I couldn't get snort to not scan the IP.

Has someone a helping hand for me?

I have alredy tried that without success.
Fortunately I solved the problem. As I suspected the problem was the vmxnet3 drivers. Netmap doesn't support it.
Alerts appeared using Suricata inline with E1000 drivers on one of my bridge interfaces.
I found this reference in another post:
https://www.freebsd.org/cgi/man.cgi?query=netmap&apropos=0&sektion=4&manpath=FreeBSD+10.2-RELEASE&arch=default&format=html#SUPPORTED_DEVICES

Lesson: DON'T use VMXNET3 with Suricata INLINE mode!

Oops, I am also facing this situation. So the reason is from Snort VRT Website :(