Snort problem
-
It took a while but the IP's started showing up again. Unfortunately I can't rebuild, after all the downtime the last few days we have to try and get things working as is. I hate having to test all this in a live environment but its our only choice right now.
After whitelisting him he still could not get through, couldn't hit the web site or SSH through. If the whitelisting doesn't work I may have to scale back the categories, so that we at least have some protection. I had to disable snort so he could work, he's one of the main developers.
I wish I could add the alias' we have to the whitelist (if it worked). We have a monitoring company that performs many checks, all started to fail after enabling snort.
-
Oh one other thing. You might want to look into the Country Block and IP Block feature package. Also install cron package to use hand and hand with Country Block. the US has around 1.5 billion active IP and the rest our reserved or in other Countries. I block everything from our network other than the US based IP's. Something to consider. Cut the head of the snake off if these attacks are coming from somewhere other than the US.
Matt
-
Don't Block United Kingdom or Canada if you use BlackBerry Service LOL.
Matt
-
I wish I could, we are a website with global users (top 10K of the Internet). We have clients that connect to our database through an API all over the world.
I am suprised this is our first DDOS.
I was going to add their (clients) IP's to the whitelist, but if it's not reliable not sure if it would matter… I think we just have to do a lot of tweaking to get things working.
-
Without to much detail, what kinds of service are you hosting and are you using pfsense for VPN use? Have you considered placing another system in front of the pfsense box. I hate to do this on the pfsense forms, but I am trying to help one being out. ClearOS or Untangle. Untangle uses SNORT and has it's own designed system called attack blocker which is seperate from the snort package. You can run it in transparent mode in front of or behind an exisitng firewall. So if you have some free public IP's availible, you could run it in transparent mode in front of your pfsense box until this gets under control. This is only if you cannot get SNORT to work properly.
Matt
-
The easiest way to put it, is we deliver a large amount of data, our database grows by around 500GB/month. We are a search engine. Our developers, many overseas, come in through VPN. I have whitelist VPN selected, but it didn't seem to help.
We've had to disable snort and reboot the firewall to get things somewhat back to normal.
We are going to see if we can find someone (expert) who can help, this is beyond our normal scope. We were hoping a quick install and a couple check boxes would stop, or deter, the DDOS.
Thanks
-
-
Thanks, just sent you a message.
-
global setting
don not install -checked
rules
update rules -
When is the package going to be fixed ? I am using a another flavor of firewall and it has dns problems .