Snort starting blocking almost all downloads
-
I have been using PFSense and Snort for about a year now with out any problems and now Snort has started to block almost all downloads from the web and I haven't changed any of the settings what would cause this and what do I need to change ? For now if I need to do any bigger downloads for drivers and software I just turn snort off until I am done. It is not blocking any websites its not supposed to be. Dave
-
Out crystal balls are out of service. Perhaps start with the alerts tab???
-
Now a lot of websites are getting blocked with this description (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE this is happening with normal websites we use everyday yahoo, ebay, amazon etc snort will block it for no reason. What can I change in the settings to make it not so aggressive. I understand having to tweek a few things here and there but now I am getting a regular Dave your firewall is blocking another website
-
Disable the offending rule. Simple.
-
It takes a bit of trial-and-error with Snort (and any other IDS/IPS), but well worth it once you've got it all right.
When I first went to deploy it, I took a few hours worth of Squid access logs and went to the most frequently visited sites to get a good list of rules to disable on the production box.
-
Perhaps this thread has some good pointers? https://forum.pfsense.org/index.php?topic=78062.0
Also: https://raw.githubusercontent.com/jflsakfja/suricata-rules/master/list.txt -
My problem is I did go thru the blocks and alerts at the beginning and and made it so everything I wanted to pass thru did . A year later with out touching any of the settings its starting to block all kinds of websites while I dont mind going in and changing a few things here and there in PFsense but I dont have time to stop from what I am doing in the shop 5 or 6 times a day because another website is blocked. We have people online looking at all kinds of websites for research and purchasing different things
-
You might just consider running Snort in IDS mode instead of blocking mode. This would give you alerts on suspicious traffic but would not block it. The other options are to run less restrictive rules or to spend some time tuning by disabling/suppressing some rules and alerts.
Bill
-
My problem is I did go thru the blocks and alerts at the beginning and and made it so everything I wanted to pass thru did . A year later with out touching any of the settings its starting to block all kinds of websites while I dont mind going in and changing a few things here and there in PFsense but I dont have time to stop from what I am doing in the shop 5 or 6 times a day because another website is blocked. We have people online looking at all kinds of websites for research and purchasing different things
This does happen occasionally, as new potential threats are added to the rulesets through updates.
As bmeeks mentioned, you could either run a generally more permissive ruleset, or disable blocking and have a look at what's going on every so often.
Good security does need proper maintenance, as new threats are always emerging.
