Snort problem
-
Thanks for your replies. In regards to first post:
- It is
2 and 3) I have this and it just hangs on updating. I left it for 30 minutes yesterday and it never updated. I was able to do the manual update and extracted the files into the directory, so I am hoping that worked. It's still just hanging today as well. - All set
- Just did that as well (previously only had ddos and dos)
- I don't have the emerging one listed, I have it checked in previous step, I wish there was a select all:)
Very quickly blocked IP's jumped to over 2000! Most are port scans, some others are: DOUBLE DECODING ATTACK (a lot of these), Windows Media Player invalid data offset bitmap heap overflow attempt, WEBROOT DIRECTORY TRAVERSAL.
I have this set to block for 1 hour. Would you recommend going longer until I thought this was over?Yesterday we were down for close to two hours, moved pfsense to a new server, upgraded from 1.2 to 1.2.3 release and installed snort. It seemed to be over until 6:00AM this morning it started all over again.
Thanks for all your help
- It is
-
Strange thing just happened. The blocked list was up to around 3500, and I had an employee say they were being block so I added them to the whitelist. After restarting snort no IP's are in the block list now for the last few minutes. All the settings are still there?
-
Here is my suggestion. I would recommend backing up your config and reinstalling 1.2.3 Release. I had to do this because of some odd issues with the upgrades from 1.2.3RC I realize you went from 1.2.2, but maybe the same issue with the hanging.
I have noticed the same thing with the block page after restarting the system or the snort service where everything will clear. I noticed this after upgrading to the latest snort package 2.8.6 pkg v. 1.27, I am not sure what that is about, but I have had that happen to me as well on more than one occasion. Make sure you don't clear your alert list, That will mess with the blocked IP's.
As far as going longer than 1 hour. I would recomend maybe up to 24 hr's.
Also note there are some known issues with the snort package and whitelisting of IP's.
-
It took a while but the IP's started showing up again. Unfortunately I can't rebuild, after all the downtime the last few days we have to try and get things working as is. I hate having to test all this in a live environment but its our only choice right now.
After whitelisting him he still could not get through, couldn't hit the web site or SSH through. If the whitelisting doesn't work I may have to scale back the categories, so that we at least have some protection. I had to disable snort so he could work, he's one of the main developers.
I wish I could add the alias' we have to the whitelist (if it worked). We have a monitoring company that performs many checks, all started to fail after enabling snort.
-
Oh one other thing. You might want to look into the Country Block and IP Block feature package. Also install cron package to use hand and hand with Country Block. the US has around 1.5 billion active IP and the rest our reserved or in other Countries. I block everything from our network other than the US based IP's. Something to consider. Cut the head of the snake off if these attacks are coming from somewhere other than the US.
Matt
-
Don't Block United Kingdom or Canada if you use BlackBerry Service LOL.
Matt
-
I wish I could, we are a website with global users (top 10K of the Internet). We have clients that connect to our database through an API all over the world.
I am suprised this is our first DDOS.
I was going to add their (clients) IP's to the whitelist, but if it's not reliable not sure if it would matter… I think we just have to do a lot of tweaking to get things working.
-
Without to much detail, what kinds of service are you hosting and are you using pfsense for VPN use? Have you considered placing another system in front of the pfsense box. I hate to do this on the pfsense forms, but I am trying to help one being out. ClearOS or Untangle. Untangle uses SNORT and has it's own designed system called attack blocker which is seperate from the snort package. You can run it in transparent mode in front of or behind an exisitng firewall. So if you have some free public IP's availible, you could run it in transparent mode in front of your pfsense box until this gets under control. This is only if you cannot get SNORT to work properly.
Matt
-
The easiest way to put it, is we deliver a large amount of data, our database grows by around 500GB/month. We are a search engine. Our developers, many overseas, come in through VPN. I have whitelist VPN selected, but it didn't seem to help.
We've had to disable snort and reboot the firewall to get things somewhat back to normal.
We are going to see if we can find someone (expert) who can help, this is beyond our normal scope. We were hoping a quick install and a couple check boxes would stop, or deter, the DDOS.
Thanks
-
-
Thanks, just sent you a message.
-
global setting
don not install -checked
rules
update rules -
When is the package going to be fixed ? I am using a another flavor of firewall and it has dns problems .