sites are blocked after upgraded snort
-
I just upgraded snort
To the latest version 2.9.5.5 pkg v3.0.1And now a lot of sites are blocked
sites I slid them regular were blocked
For example Candy crash from facebook
And many others
a add this to suppress list and it help for an about an 10 Minutes#(http_inspect) BARE BYTE UNICODE ENCODING suppress gen_id 119, sig_id 4 #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE suppress gen_id 120, sig_id 3 #(http_inspect) UNKNOWN METHOD suppress gen_id 119, sig_id 31 #ET POLICY Dropbox.com Offsite File Backup in Use suppress gen_id 1, sig_id 2012647
Meanwhile I canceled the option
Block Offenders [] Checking this option will automatically block hosts that generate a Snort alert.
So I can browse
-
I just upgraded snort
To the latest version 2.9.5.5 pkg v3.0.1And now a lot of sites are blocked
sites I slid them regular were blocked
For example Candy crash from facebook
And many others
a add this to suppress list and it help for an about an 10 Minutes#(http_inspect) BARE BYTE UNICODE ENCODING suppress gen_id 119, sig_id 4 #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE suppress gen_id 120, sig_id 3 #(http_inspect) UNKNOWN METHOD suppress gen_id 119, sig_id 31 #ET POLICY Dropbox.com Offsite File Backup in Use suppress gen_id 1, sig_id 2012647
Meanwhile I canceled the option
Block Offenders [] Checking this option will automatically block hosts that generate a Snort alert.
So I can browse
There are some false positives that happen with the HTTP_INSPECT preprocessor. In particular at least one of the ones you listed appears to have cropped in the latest Snort binary. I suggest adding Suppress List entries for these alerts for now until the Snort VRT folks get them sorted out. You may also be able to experiment with tuning some of the new options available in the updated GUI for Stream5 and HTTP_INSPECT.
Also, when you add entries to the Suppress List, you need to restart Snort on the interface for it to see the change.
Bill
-
Those http alerts are already known to be false positives.
-
I marked this square v again
and again many sites were blocked
Block Offenders [] Checking this option will automatically block hosts that generate a Snort alert.
Internet browsing on all computers is horribly slow
I am attaching screenshots of System logs
It all started last update of snort
-
The only entry in all those log entries that is Snort-related AND could be causing Internet connections to have problems is the "Double-Decoding attack" entry from the HTTP_INSPECT preprocessor. As several others have said, this is a false positive 99% of the time. The best way to deal with it is to add a Suppress List entry so that it no longer alerts and blocks.
To add a Suppress Entry, find the alert in the Alerts tab list and click the plus sign (+) beside it in the GID:SID column. That will auto-add it to the Suppress List. Restart Snort on the interface and that alert will no longer cause a block. False positives are normal on any IPS/IDS. That's what all the turning parameters are there for, so you can tune Snort to only alert on things important in your environment. The HTTP_INSPECT preprocessor causes most of the false positives because very few web servers on the Internet follow all the RFC standards to the absolute letter.
The firewall log entries are IPv6 Link-Local broadcasts. They are not a problem, but if you don't want to see them you can simply drop and not log them. They are not Snort-related outside the fact Snort puts the WAN interface in promiscuous mode, so it may be collecting IP traffic between you and your far-end gateway that is not explicitly destined for your NIC's MAC address.
The ET (Emerging Threats) blocks from Snort are normal and expected for that rule set. The alert means an IP from a "bad actors" IP list tried to connect to your WAN IP.
Finally, looking at your logs indicates some issues with your PPPoE connectivity. Looks like the interface as bounced a time or two and the apinger for Gateway health was showing some issues a few days back.
Bill
-
Indeed
the apinger Turn off once or twice and I had to run itthis is the suppress list
#(http_inspect) BARE BYTE UNICODE ENCODING suppress gen_id 119, sig_id 4 #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE suppress gen_id 120, sig_id 3 #(http_inspect) UNKNOWN METHOD suppress gen_id 119, sig_id 31 #ET POLICY Dropbox.com Offsite File Backup in Use suppress gen_id 1, sig_id 2012647 #ET INFO JJEncode Encoded Script suppress gen_id 1, sig_id 2017127 #(http_inspect) IIS UNICODE CODEPOINT ENCODING suppress gen_id 119, sig_id 7
Finally, looking at your logs indicates some issues with your PPPoE connectivity. Looks like the interface as bounced a time or two and the apinger for Gateway health was showing some issues a few days back.
Can it cause slowness in surfing
Currently
The current situation
Takes three or four minutes to load a web page
If anyBy the way also browsing to the
Management screen {dashboard}
Also slowSometimes it is impossible to enter the Management screen
-
this is the suppress list
#(http_inspect) BARE BYTE UNICODE ENCODING suppress gen_id 119, sig_id 4 #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE suppress gen_id 120, sig_id 3 #(http_inspect) UNKNOWN METHOD suppress gen_id 119, sig_id 31 #ET POLICY Dropbox.com Offsite File Backup in Use suppress gen_id 1, sig_id 2012647 #ET INFO JJEncode Encoded Script suppress gen_id 1, sig_id 2017127 #(http_inspect) IIS UNICODE CODEPOINT ENCODING suppress gen_id 119, sig_id 7
You are missing the Suppress Entry for the DOUBLE DECODING ATTACK alert. You need this one as well based on your log posting:
#(http_inspect) DOUBLE DECODING ATTACK suppress gen_id 119, sig_id 2
Can it cause slowness in surfing
Currently
The current situation
Takes three or four minutes to load a web page
If anyBy the way also browsing to the
Management screen {dashboard}
Also slowSometimes it is impossible to enter the Management screen
Issues with slow surfing and trouble entering the Management screen of the firewall indicate something hardware-related in my opinion. I would look for duplex mismatches or bad cabling. What type of hardware are you running pfSense on (for example, CPU type, amount of RAM, type of NIC, etc.).
I also saw from your earlier log posting that you appear to be running some other packages in addition to Snort. I would suggest turning off ALL the packages (including Snort) and then see how your web surfing and connectivity to the Management interface works. If you still have issues, then you know it's not any of the packages.
Bill
-
Issues with slow surfing and trouble entering the Management screen of the firewall indicate something hardware-related in my opinion. I would look for duplex mismatches or bad cabling. What type of hardware are you running pfSense on (for example, CPU type, amount of RAM, type of NIC, etc.).
Intel(R) Pentium(R) 4 CPU 2.40GHz
739 MB memory
two Simple network cards to 100 MB
Network card on board up to 100 MB
Wireless network card to 54 MBIs there a way
To know the technical specifications of the computer
Which cards
Or memoriesApart from what is listed in the Dashboard
To tell the truth
It could be a hardware problem
A few days ago was a power problem in my area
For several days there were more than 20 power outages
I have ups
But it did not work
So the computer stopped working twiceI have no way to check the hardware
Apart from taking the computer to the labYou are missing the Suppress Entry for the DOUBLE DECODING ATTACK alert. You need this one as well based on your log posting:
Code: [Select]
#(http_inspect) DOUBLE DECODING ATTACK
suppress gen_id 119, sig_id 2I saw it and I added now
See how this works nowI also saw from your earlier log posting that you appear to be running some other packages in addition to Snort. I would suggest turning off ALL the packages (including Snort) and then see how your web surfing and connectivity to the Management interface works. If you still have issues, then you know it's not any of the packages.
I know the computer is a bit weak for all this
But it worked great until now -
739 MB of RAM is a challenge for Snort with a full rule set. Snort is a memory hog. Depending on the number of rules active, RAM usage can quickly grow beyond 2 GB. If your box begins swapping RAM out to the swap file, then performance will slow to a crawl. Currently the Dashboard does not indicate any swap usage, so that may not be the problem.
You can test Snort as the cause of your slowness issue by simply turning Snort off on the interfaces it is running on. Just click the green arrow icon on the Snort Interfaces tab and wait for it to turn into a red X. Snort is then stopped and is not consuming any resources nor doing anything to network traffic. If things are still slow and you have web browsing issues, then Snort is not at fault and you know to look elsewhere.
Now if Snort was blocking a number of web sites, that can also give the appearance of being slow. What happens is most web sites use advertising, and that advertising is served up by external sources (meaning not from the same web server as the content you went to see is served from). Sometimes those external sources are either known suspicious sites with poor reputations that are on a Snort block list, or the external site may use some non-standard HTTP encoding that the Snort HTTP_INSPECT preprocessor does not like. Either way the incoming ad stream is blocked. Some web pages will pause or simply not load when any of their embedded ads don't completely load. You may be seeing some of that behavior as well. Properly configuring a Suppress List will help in this area.
Bill