Cannot resolve any sites at https://go.microsoft.com/fwlink/?LinkId=
-
This is exactly why I don't use Snort or Suricata. Too many false positives and hits on totally benign traffic. Why on Earth would Snort block tcp/80 traffic to Microsoft?
Glad to hear that you've figured it out.
-
@Gr8Britton said in Cannot resolve any sites at https://go.microsoft.com/fwlink/?LinkId=:
Apparently, it is getting blocked by snort (snort2:c). I looked in the Snort log and see it listed in the alerts. I'm trying to remove that from the list of blocked IPs.
Snort would generally only block this when you have the somewhat stringent policy rules enabled (Emerging Threats policy rules are what I'm talking about). One other possibility is some of the HTTP_INSPECT preprocessor rules. If you post the specific rule that blocked (either screen capture the alert or post up the numbers from the GID:SID column), that will help.
-
Thanks for sharing that. I was going into the Alerts and Tables and kept forcing to delete that IP but it kept coming back on its own. I eventually did a force-disable action on the rule (in the Alerts tab) and now it is not blocking it.
I'm going to look at what you suggested, too. Thanks!
@bmeeks said in Cannot resolve any sites at https://go.microsoft.com/fwlink/?LinkId=:
@Gr8Britton said in Cannot resolve any sites at https://go.microsoft.com/fwlink/?LinkId=:
Apparently, it is getting blocked by snort (snort2:c). I looked in the Snort log and see it listed in the alerts. I'm trying to remove that from the list of blocked IPs.
Snort would generally only block this when you have the somewhat stringent policy rules enabled (Emerging Threats policy rules are what I'm talking about). One other possibility is some of the HTTP_INSPECT preprocessor rules. If you post the specific rule that blocked (either screen capture the alert or post up the numbers from the GID:SID column), that will help.
-
I found that Emerging Threats IS enabled. I'll have to read up on that a bit to better understand what it is doing and if needed. Thx!
-
@Gr8Britton said in Cannot resolve any sites at https://go.microsoft.com/fwlink/?LinkId=:
I found that Emerging Threats IS enabled. I'll have to read up on that a bit to better understand what it is doing and if needed. Thx!
There are many Emerging Threats rule categories. I was specifically talking about the one called "Policy Rules" or something close to that (can't remember the exact name at the moment). It alerts on stuff like downloading EXE files, visiting software update sites, etc. That rule category (or at least some of the rules in that category) may be too stringent for many networks. An admin might want a stringent policy like that if say they ran an internal Microsoft Update Services Server and wanted to restrict company PCs to only receiving updates from that setup and not allow them access to outside sources of software updates.
You can see the rule categories on the CATEGORIES tab, and there you can click the hyperlinks to see the individual rules within each category. Or you can go to the RULES tab for an interface and select from the enabled categories for that interface and view and manage the individual rules that way.
-
@bmeeks said in Cannot resolve any sites at https://go.microsoft.com/fwlink/?LinkId=:
Snort would generally only block this when you have the somewhat stringent policy rules enabled (Emerging Threats policy rules are what I'm talking about). One other possibility is some of the HTTP_INSPECT preprocessor rules. If you post the specific rule that blocked (either screen capture the alert or post up the numbers from the GID:SID column), that will help.
The rule was@18(1000000110). I can't remember exactly but said something like, "Labeled Block Snort2:c..."
-
@Gr8Britton said in Cannot resolve any sites at https://go.microsoft.com/fwlink/?LinkId=:
@bmeeks said in Cannot resolve any sites at https://go.microsoft.com/fwlink/?LinkId=:
Snort would generally only block this when you have the somewhat stringent policy rules enabled (Emerging Threats policy rules are what I'm talking about). One other possibility is some of the HTTP_INSPECT preprocessor rules. If you post the specific rule that blocked (either screen capture the alert or post up the numbers from the GID:SID column), that will help.
The rule was@18(1000000110). I can't remember exactly but said something like, "Labeled Block Snort2:c..."
No, that's just the pfSense firewall rule name. Snort actually blocks by putting IP addresses in a special
pfpacket filter firewall table called snort2c. Snort itself will show blocks on the BLOCKS tab of Snort (access via SERVICES > SNORT from the pfSense menu). You can see Snort's alerts on the ALERTS tab within the Snort GUI (access via the same menu path).If you are new to administering Snort on pfSense, then this link can help: https://docs.netgate.com/pfsense/en/latest/ids-ips/setup-snort-package.html.
-
@bmeeks said in Cannot resolve any sites at https://go.microsoft.com/fwlink/?LinkId=:
@Gr8Britton said in Cannot resolve any sites at https://go.microsoft.com/fwlink/?LinkId=:
I found that Emerging Threats IS enabled. I'll have to read up on that a bit to better understand what it is doing and if needed. Thx!
There are many Emerging Threats rule categories. I was specifically talking about the one called "Policy Rules" or something close to that (can't remember the exact name at the moment). It alerts on stuff like downloading EXE files, visiting software update sites, etc. That rule category (or at least some of the rules in that category) may be too stringent for many networks. An admin might want a stringent policy like that if say they ran an internal Microsoft Update Services Server and wanted to restrict company PCs to only receiving updates from that setup and not allow them access to outside sources of software updates.
You can see the rule categories on the CATEGORIES tab, and there you can click the hyperlinks to see the individual rules within each category. Or you can go to the RULES tab for an interface and select from the enabled categories for that interface and view and manage the individual rules that way.
OK, so under Snort | WAN | Categories, I now see the list of rulesets. Since I already did a forced disable of the rule, I imagine it is no longer checked. So, I'll see if I can go backwards and figure it out. Thanks!
-
@Gr8Britton said in Cannot resolve any sites at https://go.microsoft.com/fwlink/?LinkId=:
@bmeeks said in Cannot resolve any sites at https://go.microsoft.com/fwlink/?LinkId=:
@Gr8Britton said in Cannot resolve any sites at https://go.microsoft.com/fwlink/?LinkId=:
I found that Emerging Threats IS enabled. I'll have to read up on that a bit to better understand what it is doing and if needed. Thx!
There are many Emerging Threats rule categories. I was specifically talking about the one called "Policy Rules" or something close to that (can't remember the exact name at the moment). It alerts on stuff like downloading EXE files, visiting software update sites, etc. That rule category (or at least some of the rules in that category) may be too stringent for many networks. An admin might want a stringent policy like that if say they ran an internal Microsoft Update Services Server and wanted to restrict company PCs to only receiving updates from that setup and not allow them access to outside sources of software updates.
You can see the rule categories on the CATEGORIES tab, and there you can click the hyperlinks to see the individual rules within each category. Or you can go to the RULES tab for an interface and select from the enabled categories for that interface and view and manage the individual rules that way.
OK, so under Snort | WAN | Categories, I now see the list of rulesets. Since I already did a forced disable of the rule, I imagine it is no longer checked. So, I'll see if I can go backwards and figure it out. Thanks!
Actually you just disabled a single rule in a large category of similar rules. The CATEGORIES tab shows you the rule categories selected for use. The RULES tab is where you can see the individual rules within each category. Each rule has a unique SID (Signature ID). To see which rule out of the many in the Policy Category you disabled, open that rule set on the RULES tab and scroll the list of SIDs. You will see rules that are default enabled and also rules that are default disabled by the vendor. The SID you force-disabled will show up with a special icon (see the legend at the top of the page, or hover over the State column to see a tooltip pop-up.
Many times a rule category will have default-disabled rules because those rules are very false-positive prone in many networks. The rule authors leave it up to the security admin to enable those rules if they wish (and also to disable "default enabled" rules should they wish or need to). In your case, that rule was what we might call a false positive in your environment so disabling that specific SID is OK.
-
@bmeeks
Ah, I see that now. There is a tab titled WAN Rules. Well, I probably can't figure out what it was, but it should be good now. Thanks! -
@Gr8Britton said in Cannot resolve any sites at https://go.microsoft.com/fwlink/?LinkId=:
@bmeeks
Ah, I see that now. There is a tab titled WAN Rules. Well, I probably can't figure out what it was, but it should be good now. Thanks!You can see exactly which Snort rule blocked by going to the ALERTS tab, choosing the WAN interface in the drop-down at the top, and then looking through the list of alerts to find one containing the IP address that was blocked. In your case that was 23.65.34.215. Find that alert in the DST column. If I recall correctly, you can click the DST column header to sort by the data. On the row for that alert it will show you the rule GID (Generator ID) and SID (Signature ID). The GID is usually "1" for most text rules. The SID, as I said earlier, is unique to a specific rule. In the right hand column you can find a summary of the rule's message. From that you can usually guess which category the rule is in, but the SID will uniquely identify the rule.
P.S. -- the above assumes your network traffic is not so high as to cause the alerts log to rollover. In that case, that alert may have rolled into an archived log and no longer be visible using the GUI tools.
