Snort Not Playing Nicely with VPN Servers

  • I'm a regular user of a VPN provider and snort seems to be blocking every single one of the servers I connect to shortly after connecting. I've tried using IP Lists and passing it on the WAN interface as a whitelist and trusting the IPs. Am I missing something, because that seems like all I need to do. The only other thing I can think to do is suppress that alert completely. I believe it falls under "UDP filtered distributed portscan".

  • I would just disable the portscan preprocessor.  It is way over sensitive in most cases, and that over sensitivity is compounded on pfSense because of the absolutist nature of the "block offenders" option.  In a true IPS you would have only some rules set to "drop" so the offenders are truly blocked.  Many other rules would just be set to "alert" so they would log a notification, but the traffic would not be blocked.  The alerts would be scanned periodically by an admin and action taken if an alert indicated a problem.  The blocks would be reserved for just the well-known malicious stuff.

    On pfSense this dual action (drop versus just alert) is not possible with Snort.  So if "block offenders" is turned on, then every single rule or preprocessor that fires an alert is going to try and generate a block based on that alert.  In effect, every single rule becomes a type of "drop" rule.  So there is no graded approach to security whereby some less malicious things are just alerts and full-blown sure-fire attacks are the only only things dropped or blocked.

    So this means you need to be a little more relaxed with some Snort rules and disable some of the ones that are prone to false positive.  Either that or just run Snort in IDS mode and turn off "block offenders".