Snort blocking speedtest
-
Hello again,
I installed Snort and can as far as I can tell reach websites apart from speedtest.net. This is from my direct Ethernet to desktop and wireless connections. Nor any other speed testing sites / applications. How do I resolve this?
-
I know I probably sound like an old curmudgeon with this reply; but I am old, it's still early morning here where I live, and I'm behind on my morning coffee consumption -- so here goes
.Why would you install a package that blocks things without first fully understanding how it works, how to administer it and how to tune the rule settings?
The very first thing you should do is go to the INTERFACE SETTINGS tab for the interfaces where you have Snort running and turn off blocking. Then go to the BLOCKS tab and click the Clear button to remove all Snort blocks. DO NOT enable blocking when you first install the package! Most especially don't do this if you have no experience administering and tuning an IDS/IPS! Run with blocking disabled for several weeks to gauge your network traffic patterns, to see what types of false positives are happening, and to tune the rule sets you select. Only after you have tuned your rules and created necessary suppression lists (or disabled those rules entirely as appropriate) should you enable blocking again.
Next, go read the official documentation here: https://docs.netgate.com/pfsense/en/latest/packages/snort/setup.html. That will show you how to configure the package, and most importantly, show you how to find alerts, blocks and Suppression Lists.
Last, spend some time on Google researching how to tune an IDS/IPS (how to select the rules needed to address the attack surfaces in your network, how to disable unneeded rules or suppress certain alerts and how analyze alerts to determine if an alert is a real threat or just a false positive).
P.S -- I had a second mug of coffee, and the sun has come out from behind the clouds, so I feel better now ...
. Here are some hints:-
IP addresses currently being blocked by Snort are always shown on the BLOCKS tab.
-
The rule or rules that triggered to block an IP are shown on the ALERTS tab. There is a drop-down selector at the top of that page to choose the Snort-configured interface to view. Be sure you have the correct interface selected when looking for alerts (or else be sure to examine all the interfaces available in that drop-down). Icons beside the alert lines will show whether or not a rule resulted in a blocked IP address. Hover your mouse over the various icons and a tooltip will popup describing what the icon does or what it represents.
-
-
@bmeeks said in Snort blocking speedtest:
https://docs.netgate.com/pfsense/en/latest/packages/snort/setup.html
That page shows putting it on the WAN interface in several examples...I don't suppose you could convince them to use LAN throughout?
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote 👍 helpful posts! -
Thanks all. I will read up on Snort.
-
@teamits said in Snort blocking speedtest:
@bmeeks said in Snort blocking speedtest:
https://docs.netgate.com/pfsense/en/latest/packages/snort/setup.html
That page shows putting it on the WAN interface in several examples...I don't suppose you could convince them to use LAN throughout?
Yeah, that part and the screenshots that accompany it are quite ancient. At one time I had "edit" access to the doc wiki. I can check if I still do and maybe make some adjustments based on current recommendations.
