Snort and TeamSpeak3 = will make snort ban all my teamspeak users.

fableman

Version of PFSENSE: 1.2.3-RELEASE

Hi.

I been forced to turn off snort until I get a solution. Snort is banning my teamspeak3 users.

The Ban is not triggerd directly first after some time.

How can I disabable the rule that trigger bans on my Teamspeak 3 users?

I tried adding Suppress rules but dosent work:
suppress gen_id 122, sig_id 22
suppress gen_id 122, sig_id 24

Would love to get some help with this problem.

–----------------------------------------------------
BAN LOG: (portscan) UDP Filtered Distributed Portscan

---

PRI PROTO DESCRIPTION CLASS SRC SPORT FLOW DST DPORT SID Date

1 3 PROTO:255 (portscan) UDP Filtered Decoy Portscan Prep 19.18.4.74 empty -> 187.9.48.16 empty 122:22:0 01/29-23:05:33

4 3 PROTO:255 (portscan) UDP Filtered Distributed Portscan Prep 89.1.14.3 empty -> 187.9.48.16 empty 122:24:0 01/29-03:09:34

Cry Havok

That's not a rule but the portscan preprocessor. You need to disable the preprocessor, though I'm not sure how to do that with pfSense.

jamesdean

To completely turn off that alert type;
Go to the snort tab called "snort_preprocessors.php", then uncheck the "Portscan Detection" option.
Thats all you have to do.

The suppress rule you posted looks good to me. Did you remember to save/restart the snort interface ?

James

fableman

Yes I can disable the portscan under preprocessors but its not a good solution I think.
Still the only thing that works, my suppress rules do nothing (even after restarts)

I wish I only could disable all alerts on port xxxx

Would be awsome to be able to exclude some ports from all kind of checks.

Then I could be able to protect myself from portscanners. (now I can't if I need teamspeak3 on my server)

Will there be any solution for this for next version ?

jamesdean

gen-msg.map File says were using the right sids.

Oh I forgot to mention, try flipping the numbers.

suppress gen_id 22, sig_id 122
suppress gen_id 22, sig_id 122

James

fableman

@jamesdean:

gen-msg.map File says were using the right sids.

Oh I forgot to mention, try flipping the numbers.

suppress gen_id 22, sig_id 122
suppress gen_id 22, sig_id 122

James

Sorry it diden't work to change the supress rule, still banning the users. Only thing that works is to disable Portscan Detection :(

fableman

is there no solution to this problem ?  :-\

Cino

If you know all their IP addresses or a IP range, add it to the whitelist. I do this for my work's IP range and it works like a charm. If it didn't, I wouldnt be able to OpenVPN because a block rule would be auto-created because of the portscan preprocessor.

fableman

@Cino:

If you know all their IP addresses or a IP range, add it to the whitelist. I do this for my work's IP range and it works like a charm. If it didn't, I wouldnt be able to OpenVPN because a block rule would be auto-created because of the portscan preprocessor.

Whitelisting is a crazy thing todo if you ask me. You never know what other people got on there computers.