Snort and Mac OS X users

sollostech · Jan 16, 2010, 5:30 PM

I enabled Snort on embedded pfSense 1.2.3 and found the Mac users (including myself) were invariably being blocked. Tried to suppress the alerts associated with the legitimate Mac traffic, but this never worked.

Roodawakening · Jan 17, 2010, 4:17 AM

I've been running my Mac behind pfSense (with Snort, Squid, Squidguard, Denyhosts, Fit123, and HAVP) for months. I suspect it has nothing to do with your Mac, other than perhaps a setting being off. How is Snort configured?

sollostech · Jan 17, 2010, 4:45 AM

I just had the standard config, didn't change anything. I had a few rules enabled and then turned them all of to see if that would help.

Roodawakening · Jan 19, 2010, 6:55 AM

@sollostech:

I just had the standard config, didn't change anything. I had a few rules enabled and then turned them all of to see if that would help.

Again…I doubt it has anything to do with the operating system. You might want to check firewall settings on the local (LAN) machines to make sure you don't have a conflict.

sollostech · Jan 20, 2010, 3:13 PM

Don't have any firewall on the machines themselves. I assumed it was a Mac issue only because reading in the forums on my issue I found other posts that had identified the issue with Mac visitors. I will try it again, but set Snort to not block the visitor and just give me the alert error so I can work on figuring this out. Not sure why the exceptions I tried to put it didn't do anything, I guess I did something incorrect.

jamesdean · Jan 20, 2010, 10:10 PM

Use the threshold.conf to suppress the alerts you get.
Search the forums on how to do that.

James