Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    Snort Not Playing Nicely with VPN Servers

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 816 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      JWells
      last edited by

      I'm a regular user of a VPN provider and snort seems to be blocking every single one of the servers I connect to shortly after connecting. I've tried using IP Lists and passing it on the WAN interface as a whitelist and trusting the IPs. Am I missing something, because that seems like all I need to do. The only other thing I can think to do is suppress that alert completely. I believe it falls under "UDP filtered distributed portscan".

      1 Reply Last reply Reply Quote 0
      • bmeeksB Offline
        bmeeks
        last edited by

        I would just disable the portscan preprocessor.  It is way over sensitive in most cases, and that over sensitivity is compounded on pfSense because of the absolutist nature of the "block offenders" option.  In a true IPS you would have only some rules set to "drop" so the offenders are truly blocked.  Many other rules would just be set to "alert" so they would log a notification, but the traffic would not be blocked.  The alerts would be scanned periodically by an admin and action taken if an alert indicated a problem.  The blocks would be reserved for just the well-known malicious stuff.

        On pfSense this dual action (drop versus just alert) is not possible with Snort.  So if "block offenders" is turned on, then every single rule or preprocessor that fires an alert is going to try and generate a block based on that alert.  In effect, every single rule becomes a type of "drop" rule.  So there is no graded approach to security whereby some less malicious things are just alerts and full-blown sure-fire attacks are the only only things dropped or blocked.

        So this means you need to be a little more relaxed with some Snort rules and disable some of the ones that are prone to false positive.  Either that or just run Snort in IDS mode and turn off "block offenders".

        Bill

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.