Balanced and Rule 140:27 in Snort
-
Hi,
I have selected the "Balanced" rule set in Snort (4.1.6_9), pfsense 2.7.
However, the rule 140:27 always interferes with my internal PBX, which communicates to several providers via SIP. (pfSense is correct configured as it shown in the voip Hangout)If I delete the block in the Blocked area and click on the red cross in the "Alerts" area, I would have solved the problem, or so I thought. The phone system works again.
A few days later the same thing happens again. Apparently it only stays active until the rules are reloaded via update.
In the passlist I already have known servers from the providers listed, but apparently they are IPs I don't know.When selecting a rule set like "Balanced", how can I still permanently delete a rule like 140:27?
Thank you.
Arti.
-
This is a known bug that has been fixed. Unfortunately the pfSense package builders currently have a problem and the "fixed" package has not been copied over to the CE package repo from the builder server. The fix is available in the pfSense Plus repo.
This has been reported to the Netgate team and they verified receipt of the report, but thus far the repo replication issue is not resolved. Once the repo replication issue is fixed, you will see a Snort 4.1.6_11 package appear in the CE branch, and that new version contains the fix you need.
The fixed PHP source code file is available here if you are handy with PHP programming and copying/pasting: https://github.com/pfsense/FreeBSD-ports/blob/devel/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_alerts.php.
Here is another thread about this issue: https://forum.netgate.com/topic/183190/snort-4-1-6_10-package-update-is-broken-do-not-install-it-a-fix-is-coming-in-4-1-6_11/13.
-
