Snort blocking all torrents

wgstarks · Jan 8, 2018, 2:36 PM

Recently installed Snort configured to not block any traffic (alerts only) and loaded the ET rules. Wanted to get an idea of what problems I would have with false positives. After a day or so I realized that snort actually was blocking torrent traffic. The only way I could find to pass the traffic was to uninstall the snort package. I’m sure this whole issue is probably due to ignorance on my part, so I’m looking for advice on how to install and test the package without any major disruptions to my network. Or maybe snort isn’t a good fit with torrents? Should I try some other package?

ivor · Jan 8, 2018, 3:23 PM

It cannot block torrents unless "Block offenders" is checked. Make sure it's not checked.

wgstarks · Jan 8, 2018, 3:31 PM

It wasn’t checked. I verified it several times. After uninstalling the package the traffic is passing normally though, so it would seem that snort was responsible for blocking it. I was thinking that I must have misconfigured some other snort setting that caused this?

denova · Dec 24, 2018, 6:53 PM

I know it’s an old topic, but I have the exact same problem and it’s nowhere else on the forum. Torrents work fine with Snort disabled, but with Snort enabled and starting a torrent it will kill off my VPN client connection within a minute. I tried adding the VPN address to Snort’s pass list but no changes. Anyone with a suggestion?

Rango · Feb 26, 2019, 8:16 PM

I also have same problem. Snort 3.2 kills all p2p traffic unless package is uninstalled. Once snort is uninstalled it works fine. For a second i thought that ISP is throttling me but uninstallation proved it did not.

Here is what i did:
Setup NAT and it's rules with specific port for exp. 1111 on WAN and to Lan client. Setup qtorrent with only 1111 port and disabled Unp mapping. Firewall log shows firewall is passing traffic on that port. Block offenders is checked on snort interface as i want ppl that scan my ports etc to be blocked.

Here is what i did in snort to fix this with no success.

All p2p rules are unchecked. No global emerging threats, cerfified talos rules. Just running what i picked.
All policy rules are unchecked
Any alerts that show up relating port 1111 disabled that rule. After that i go to clear blocked offenders from snort blocked list
Finally i cleared states in firewall

Even with snort package disabled it was still blocking maybe as i have not cleared firewall states but once i uninstalled snort package and cleared firewall states p2p is working fine now.

I did test with ubuntu torrents so it would not be seed related either.

Any solutions to this. Maybe its user error and if so please let me know what i'm doing wrong. I think i thought of everything there is to do to allow this.

bmeeks · Feb 26, 2019, 9:38 PM

@rango said in Snort blocking all torrents:

I also have same problem. Snort 3.2 kills all p2p traffic unless package is uninstalled. Once snort is uninstalled it works fine. For a second i thought that ISP is throttling me but uninstallation proved it did not.

Here is what i did:
Setup NAT and it's rules with specific port for exp. 1111 on WAN and to Lan client. Setup qtorrent with only 1111 port and disabled Unp mapping. Firewall log shows firewall is passing traffic on that port. Block offenders is checked on snort interface as i want ppl that scan my ports etc to be blocked.

Here is what i did in snort to fix this with no success.

All p2p rules are unchecked. No global emerging threats, cerfified talos rules. Just running what i picked.
All policy rules are unchecked
Any alerts that show up relating port 1111 disabled that rule. After that i go to clear blocked offenders from snort blocked list
Finally i cleared states in firewall

Even with snort package disabled it was still blocking maybe as i have not cleared firewall states but once i uninstalled snort package and cleared firewall states p2p is working fine now.

I did test with ubuntu torrents so it would not be seed related either.

Any solutions to this. Maybe its user error and if so please let me know what i'm doing wrong. I think i thought of everything there is to do to allow this.

@Rango
What rules are firing in the alerts? You should be able to find the GID:SID of the firing rules both on the ALERTS and the BLOCKS tabs. You can then disable or suppress just those rules to solve your problem.

Rango · Feb 27, 2019, 2:47 AM

@bmeeks that's what i've been doing, once i see any snort alert for port 1111 triggered, i click X to disable that rule set so it would not be blocked.

p2p, tor and policy rules are not checked. What's annoying is that even after no alerts show up for port 1111 snort still brings down torrents to few kb speed.

If i close torrent and reopen it it works for about a minute and then snort takes all bandwidth down to few kbs. Once snort is removed it's back to normal. I even see that disabled rule i unblocked in auto flow bits.

I am willing to disable entire category that triggers this but i don't know what that category is since p2p and policy is not even checked.

bmeeks · Feb 27, 2019, 2:50 AM

@rango said in Snort blocking all torrents:

@bmeeks that's what i've been doing, once i see any snort alert for port 1111 triggered, i click X to disable that rule set so it would not be blocked.

p2p, tor and policy rules are not checked. What's annoying is that even after no alerts show up for port 1111 snort still brings down torrents to few kb speed.

If i close torrent and reopen it it works for about a minute and then snort takes all bandwidth down to few kbs. Once snort is removed it's back to normal. I even see that disabled rule i unblocked in auto flow bits.

I am willing to disable entire category that triggers this but i don't know what that category is since p2p and policy is not even checked.

If an auto-flowbit rule is firing, then you need to disable that rule. More likely is you may just not have enough box for both Snort and torrents. You say torrents get slow. Do you mean by speed or are you saying they are actually blocked? If blocked, the speed would go to zero bytes/sec. If the speed just slows way down, then it is more likley to be a CPU/network card throughput issue.

If Snort is simply slowing things down instead of definitively blocking connections, then either upgrade the box hardware or simply uninstall Snort.

Rango · Feb 27, 2019, 9:26 PM

I can try to disable Auto flow bit rule. Is it as easy as disable by the rule itself?

My hardware has nothing to do with it. It's 2.4Ghz Quad core intel i5 processor with 4gb of ram able to run encryption at ~300Mbps. Without snort package it runs correct. It's snort component do it but since p2p and policy is not enabled i'm puzzled what rule or which component is doing this.

bmeeks · Feb 28, 2019, 1:41 PM

@rango said in Snort blocking all torrents:

I can try to disable Auto flow bit rule. Is it as easy as disable by the rule itself?

My hardware has nothing to do with it. It's 2.4Ghz Quad core intel i5 processor with 4gb of ram able to run encryption at ~300Mbps. Without snort package it runs correct. It's snort component do it but since p2p and policy is not enabled i'm puzzled what rule or which component is doing this.

If an additional auto-flowbit rule is alerting, it will show up on the ALERTS tab. But note that when in blocking mode, every Snort alert results in a corresponding block of the IP address unless that IP is in a Pass List. And a block will not "slow down" traffic, it will completely stop it. So I continue to be puzzled by your statement that Snort "slows down bandwidth to a few kb/sec". If Snort rule blocks are the issue, the traffic would completely stop: not just slow down.