Snort blocking remote staff when checking email with Outlook

Cry Havok

Did you remember to restart snort after you added that configuration line?

djmime

yes i did restart the service and the FW no change

Cry Havok

Please post the all of the Snort messages (complete) for the point in time you try to connect to Exchange.

vito

I have added the suppress line and it did not seem to work for me also.
It seems this started after the last snort upgrade. (if i had to put a time frame on it..guessing) currently on the latest snort build on PF 2 release.

removed ip from block list, restarted Snort.

Log cleared and watched for the entry. (it does not seem like it happens right a way)
IP's removed

snort[24758]: [137:1:1] (ssp_ssl) Invalid Client HELLO after Server HELLO Detected [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} x.x.x.x:62848 -> x.x.x.x:443

PF Log:
Sep 19 14:30:51 snort[13668]: [137:1:1] (ssp_ssl) Invalid Client HELLO after Server HELLO Detected [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} x.x.x.x:42583 -> x.x.x.x:443
Sep 19 14:30:51 snort[13668]: [137:1:1] (ssp_ssl) Invalid Client HELLO after Server HELLO Detected [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} x.x.x.x:42583 -> x.x.x.x:443

Snort Alert:
TCP (ssp_ssl) Invalid Client HELLO after Server HELLO Detected Potentially Bad Traffic x.x.x.x 42583 -> x.x.x.x 443 137:1:1 09/19-14:30:51

djmime

i m having the exact same log and it seems like it happens after a the second or third attempt
of the client OWA and OMA
(ssp_ssl) Invalid Client HELLO after Server HELLO Detected

thanks daniel

vito

Is this still an issue for both of you? Have not been able to get it working on my box.

thx

djmime

yes it still is i dunt have to macth time to play with it i will try on the weekand
thanks

djmime

OK I am lost can't figure this out need sum help ?

Cry Havok

Start by unticking "Block offenders" in the interface settings. That will give you time to get to the bottom of why you're having problems disabling that rule.

Also, can you post a screenshot of the Advanced configuration pass through section please.

vito

i rebooted my fw this morning and did not have a problem till about an hour ago
nothing in my adv config section.

Cry Havok

Then Snort isn't doing any blocking, something else is your problem.

vito

@Cry:

Then Snort isn't doing any blocking, something else is your problem.

Then what should be in there? I do not recall anything in the adv config box and Snort appears to be working fine besides this. The name applies "advance" to be passed to the snort config for additional options not available in the gui. (I know in the squid package, the custom options box shows configs, but never seen this in snort.)

If Snort is not blocking/working then why is it "blocking" the data stream from the phones and producing the problem by blocking the ip's? Turning off snort or not block offenders allows the devices to work fine.
It is also scanning other traffic and blocking offenders when needed.

This was only an issues after one of the last updates.
Thanks for our help.

Cry Havok

Then how have you told it to suppress the rule? Where did you enter suppress gen_id 137, sig_id 1?

vito

Under the "suppress" Tab

I also just tried under adv config. Still not working.

Cry Havok

What version of pfSense and the Snort package are you running?

vito

PF 2.0 release
Snort 2.9.0.5 pkg v. 2.0

Cry Havok

Checking what is added to the snort config, it looks like the suppress tab doesn't work. Only items added to the Advanced tab are added to the config file from what I can see.

vito

Thanks for the reply and testing Cry Havok

OP and other users that posted to the thread.
Can you post your versions of Snort and PF?
Also note where you have the suppress line added.

If this is a bug, it will help with trouble shooting.

swinn

@Cry:

Checking what is added to the snort config, it looks like the suppress tab doesn't work. Only items added to the Advanced tab are added to the config file from what I can see.

Did you also set the suppression rule list you created to the interface (If Settings->Suppression and Filtering)? If the interface is still set to default then it will not suppress any alerts.

Cry Havok

@swinn:

Did you also set the suppression rule list you created to the interface (If Settings->Suppression and Filtering)? If the interface is still set to default then it will not suppress any alerts.

No - didn't know that those extra steps were required.