Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort UDP Filtered Portscan with OpenVPN

    Scheduled Pinned Locked Moved pfSense Packages
    4 Posts 2 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Heli0s
      last edited by

      I'm connected to a VPN server which has the OpenVPN KeepAlive flag. Everything works fine, however, every few minutes, Snort picks up a UDP Filtered Portscan coming from the VPN server IP to the WAN IP. This causes the internet to drop until I clear the blocked host. The preprocessors on the VPN and WAN interfaces are set to detect portscans. The only way I found around that is to add the OpenVPN server's IP to the pass list.

      My question is: Is this normal behavior? I can disable the portscan detection, however, would that reduce my network security?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @Heli0s:

        I'm connected to a VPN server which has the OpenVPN KeepAlive flag. Everything works fine, however, every few minutes, Snort picks up a UDP Filtered Portscan coming from the VPN server IP to the WAN IP. This causes the internet to drop until I clear the blocked host. The preprocessors on the VPN and WAN interfaces are set to detect portscans. The only way I found around that is to add the OpenVPN server's IP to the pass list.

        My question is: Is this normal behavior? I can disable the portscan detection, however, would that reduce my network security?

        The Snort portscan detector can be problematic.  I mentioned in another post in a different topic that it is both too sensitive and not sensitive enough.  That's a contradiction, but true.  It will not detect certain types of scans, and it will be overly sensitive to certain harmless and normal activity.  You can try setting the "sensitivity" to LOW.  If that does not help much, then add all of your trusted networks and IPs to an Alias and then assign that alias to the "Ignore Scanners" parameter under the Portscan Preprocessor settings.

        Bill

        1 Reply Last reply Reply Quote 0
        • H
          Heli0s
          last edited by

          If that's the case, is there a good way to protect my network from port scans? I've tried a few online port scans and some are picked up and some are not.

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @Heli0s:

            If that's the case, is there a good way to protect my network from port scans? I've tried a few online port scans and some are picked up and some are not.

            Not that I am aware of.  On the other hand, if you have a carefully configured firewall that allows only exactly what is necessary to get in, why worry about a port scan?  If those ports are not open, so what?  What seems to happen a lot recently is the port scan preprocessor is overly sensitive and triggers on some normal and harmless stuff.  I think in an attempt to reduce the sensitivity and prevent those false positives, some of the older port scans are no longer detected.  So all in all the utility of the port scan preprocessor seems to be degrading in my view.

            If you still want to use it, then you will need to tinker with all the settings for the preprocessor.  That's why I added them to the GUI several revisions back.  They will allow you to tweak it so maybe it works for you without triggering on too many false positives.

            Bill

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.