Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How do I figure out what part of SNORT is causing a data xfer to fail?

    Scheduled Pinned Locked Moved
    General pfSense Questions
    3
    3
    42
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      Wylbur
      last edited by

      I have an iPad that has an aviation application on it. It has to be updated every 20 something days (I've forgotten the what the actual cycle is -- for those who are pilots, I have to update VFR maps and "data base" and I have to do the same for IFR Low-enroute and approach plates and related.)

      I did a system update and loaded snort, with my oinkcode and all seemed to be good until I needed to do an update with my iPad. It would load maybe 4MB of data (out of 1.x GB) and then complain it could not connect with the server.

      So we have chased this and by having my droid become a hot spot, the iPad could download data beyond the "sticking point" which effectively proved to me that SNORT was probably the problem. NOTE that NOTHING else had this issue. Anything operating on WiFI (which effectively goes throug VLAN) is able to stream all day long. But not this iPad.

      Un-installed SNORT. Attempted to get the iPad to do its update and wham!! it is done with the download and install.

      So I am trying to understand what SNORT is doing to cause this. I have been getting a lot of messages/alerts about https and (of course I can't find the message now) something about too many chained commands (as I understood it). So I was trying to figure out how to kill that part of Sort when I decied to just uninstall it and try the xfer... And so now that works, so before I put snort back up, how do I, within PfSense, turn off, kill, or not install certain rules? I just can't seem to find how and where.

      Regards,
      Wylbur

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @Wylbur
        last edited by

        @Wylbur check the Alerts tab to see if an IP is blocked.

        Do have it set for legacy (default) or inline mode?

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          You should be able to see it blocked in the Snort Alerts list. And you can then disable or suppress that signature to prevent it happening again. Remember to remove the remote server from the blocked hosts list as well.
          https://docs.netgate.com/pfsense/en/latest/packages/snort/alerts.html

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.