Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SNORT blocking too much

    Scheduled Pinned Locked Moved IDS/IPS
    30 Posts 11 Posters 11.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      interessierter
      last edited by

      Hello!

      Is there a feature available to use a life whitelist in snort?
      SNORT is blocking too much for me, for example netflix. As *.netflix.com is not enough, any ideas here?

      thanks

      1 Reply Last reply Reply Quote 0
      • ?
        A Former User
        last edited by

        That's odd it does not block that ever for me. Your browser may be allowing local IP out or the like. You can suppress rules with Snort but I would check why it is firing off a block too.
        Suppress is the quick fix until you have time to check why and such. White-list I think uses less resources if suppress list gets larger. I tend to check out more before I just white-list a program.

        ps. netflix here on firefox with basic profile(almost default) and noscript.
        Firewall blocking QUIC (google protocol) and port 80,443 allow only.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          "any ideas here?"

          Yeah just put it monitor mode until you have adjusted the rules..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • P
            pfBasic Banned
            last edited by

            @johnpoz:

            "any ideas here?"

            Yeah just put it monitor mode until you have adjusted the rules..

            Agreed, it'll take a bit to figure out which rules are giving you false positives.

            Streaming rules & checksum rules are common culprits of false positives.

            1 Reply Last reply Reply Quote 0
            • I
              interessierter
              last edited by

              Hi!

              Hm, is there maybe a other IDS for pfsense available?
              I was expecting white and blacklists in the patterns like on pfblocker.

              For Example snort is blocking netflix traffic for me. But the domain names and IPs are not always the same.
              So it s always a handwork, no more handy way possible?

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                That's not what snort does. It looks for "patterns." Find the pattern that is generating undesirable blocks, look at what it is actually matching on, decide, for yourself, based on YOUR threat model, whether it is something you do or do not need to match on, and if so, deal with it. If not, add it to the suppression list.

                And as has been suggested, turn off blocking until traffic isn't generating undesirable alerts. Then enable blocking.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  IPS/IDS is not something that can be idiot proofed.. Its not a web content filter where you pick categories.. Block porn, allow netflix ;)

                  Yes the different signatures fall into different categories..

                  Tweaking a IPS to provide protection with as few as possible false positives is for sure a skill that has to be honed..  Your not going to pick it up over night, and you sure an the hell can not just put snort into blocking mode without issues out of the gate.

                  You need to run it in monitor mode.. Look at what it shows as hits, weed out the false or noise because of your type of traffic and go from there.  It will require unending management to keep it running smooth..  Even so your going to to run into stuff that is blocked that might be legit traffic you want/need to allow.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 1
                  • P
                    pfBasic Banned
                    last edited by

                    @interessierter:

                    Hm, is there maybe a other IDS for pfsense available?

                    Yes, there's suricata as well. But it won't solve your problem. IPS in general requires you to decide what is a false positive for you and what needs to be blocked.

                    That being said there are several threads on the forum where experienced members have posted lists of rules that can be safely disabled for the average user.

                    You can check them out but will have to decide for yourself whether or not they work for you.

                    From what you've stated about netflix troubles a starting place might be disabling the entire stream-events.rules (if you are using et-open rules?). But you'll need to do more than that.

                    https://forum.pfsense.org/index.php?topic=56267.0

                    https://forum.pfsense.org/index.php?topic=61018.0

                    https://forum.pfsense.org/index.php?topic=64674.0

                    https://github.com/jflsakfja/suricata-rules/blob/master/list.txt

                    That's some good stuff to read.

                    1 Reply Last reply Reply Quote 1
                    • SoarinS
                      Soarin
                      last edited by

                      @johnpoz:

                      IPS/IDS is not something that can be idiot proofed.. Its not a web content filter where you pick categories.. Block porn, allow netflix ;)

                      Yes the different signatures fall into different categories..

                      Tweaking a IPS to provide protection with as few as possible false positives is for sure a skill that has to be honed..  Your not going to pick it up over night, and you sure an the hell can not just put snort into blocking mode without issues out of the gate.

                      You need to run it in monitor mode.. Look at what it shows as hits, weed out the false or noise because of your type of traffic and go from there.  It will require unending management to keep it running smooth..  Even so your going to to run into stuff that is blocked that might be legit traffic you want/need to allow.

                      I wish there was a thumbs up button so I could thumbs this post up.

                      I hardly understand pfSense but it was love at first sight.

                      I 1 Reply Last reply Reply Quote 0
                      • D
                        doktornotor Banned
                        last edited by

                        @Soarin:

                        I wish there was a thumbs up button so I could thumbs this post up.

                        The button is called "Thank You". Top right corner of the post.

                        1 Reply Last reply Reply Quote 0
                        • I
                          interessierter @Soarin
                          last edited by

                          @Soarin said in SNORT blocking too much:

                          @johnpoz:

                          IPS/IDS is not something that can be idiot proofed.. Its not a web content filter where you pick categories.. Block porn, allow netflix ;)

                          Yes the different signatures fall into different categories..

                          Tweaking a IPS to provide protection with as few as possible false positives is for sure a skill that has to be honed..  Your not going to pick it up over night, and you sure an the hell can not just put snort into blocking mode without issues out of the gate.

                          You need to run it in monitor mode.. Look at what it shows as hits, weed out the false or noise because of your type of traffic and go from there.  It will require unending management to keep it running smooth..  Even so your going to to run into stuff that is blocked that might be legit traffic you want/need to allow.

                          I wish there was a thumbs up button so I could thumbs this post up.

                          That was never my ask sorry.
                          I have no problem to try to customize, but when I don t now what, it would be hard. And I try to learn with play around in my private network. This post is from 2017 now we have 2020, and it s still the case that snort blocks amazon prime and netflix after some time for me. There is a free rule set available, and I m the first guy that have this problem and have to troubleshoot on a individual base? No one use snort at home or using streaming services? Can not believe that ....

                          J 1 Reply Last reply Reply Quote 0
                          • J
                            jdeloach @interessierter
                            last edited by

                            @interessierter said in SNORT blocking too much:

                            @Soarin said in SNORT blocking too much:

                            @johnpoz:

                            IPS/IDS is not something that can be idiot proofed.. Its not a web content filter where you pick categories.. Block porn, allow netflix ;)

                            Yes the different signatures fall into different categories..

                            Tweaking a IPS to provide protection with as few as possible false positives is for sure a skill that has to be honed..  Your not going to pick it up over night, and you sure an the hell can not just put snort into blocking mode without issues out of the gate.

                            You need to run it in monitor mode.. Look at what it shows as hits, weed out the false or noise because of your type of traffic and go from there.  It will require unending management to keep it running smooth..  Even so your going to to run into stuff that is blocked that might be legit traffic you want/need to allow.

                            I wish there was a thumbs up button so I could thumbs this post up.

                            That was never my ask sorry.
                            I have no problem to try to customize, but when I don t now what, it would be hard. And I try to learn with play around in my private network. This post is from 2017 now we have 2020, and it s still the case that snort blocks amazon prime and netflix after some time for me. There is a free rule set available, and I m the first guy that have this problem and have to troubleshoot on a individual base? No one use snort at home or using streaming services? Can not believe that ....

                            You are not the first person to have this issue. A search of this forum will show that numerous folks have/had this issue. You need to run with it in the Non-Blocking mode until you get the rules to satisfy your situation.

                            No two home networks are going to be setup the same. That's why each person has to customize the rules for their use. If you don't understand the rules that are getting triggered, you can search this forum or better yet use Google to find out what the rules are triggering on and suppress them if they are blocking content that you want to view. This process can take days/weeks/months to get it customized to your needs. Then and only then should you change it to Blocking mode.

                            1 Reply Last reply Reply Quote 0
                            • I
                              interessierter
                              last edited by

                              I have googled more than one time, the only point that I found was this thread. But I have not searched in this forum. Will do that.

                              bmeeksB 1 Reply Last reply Reply Quote 0
                              • bmeeksB
                                bmeeks @interessierter
                                last edited by bmeeks

                                @interessierter said in SNORT blocking too much:

                                I have googled more than one time, the only point that I found was this thread. But I have not searched in this forum. Will do that.

                                Most home users have no need of the Snort or Suricata packages. These are very complex packages that require a thorough understanding of network security, network technical theory and how various threats are detected. Snort and Suricata are NOT like an anti-virus package that you can just install and configure the virus definitions (rules) to update periodically.

                                There is no cookie-cutter approach to configuring an IDS/IPS. If it is giving you troubles that you can't solve, simply uninstall the package. As I mentioned in the first paragraph, most home users do not need it.

                                If you want to learn about Snort, then Google is your friend, but don't go looking for "how can I do X" or "how can I stop Snort from blocking Netflix". Instead, look for articles, whitepapers and tutorials explaining how an IDS (Intrusion Detection System) works. There are tons and tons of things on the web about Snort. Snort has been around as an IDS for like forever basically. You will need to learn how an IDS actually works, then you will begin to understand its configuration and how to use it and tune it for optimum performance in your network.

                                1 Reply Last reply Reply Quote 2
                                • I
                                  interessierter
                                  last edited by

                                  I have tried to setup snort like here mentioned: https://docs.netgate.com/pfsense/en/latest/ids-ips/setup-snort-package.html
                                  What I want to archive is, that I see in the alerts section more meaning full information like on the screenshots at the end of the side (facebook, icloud ect)

                                  I have my list with alerts, but this additional usefull info missing. why?

                                  bmeeksB 1 Reply Last reply Reply Quote 0
                                  • bmeeksB
                                    bmeeks @interessierter
                                    last edited by

                                    @interessierter said in SNORT blocking too much:

                                    I have tried to setup snort like here mentioned: https://docs.netgate.com/pfsense/en/latest/ids-ips/setup-snort-package.html
                                    What I want to archive is, that I see in the alerts section more meaning full information like on the screenshots at the end of the side (facebook, icloud ect)

                                    I have my list with alerts, but this additional usefull info missing. why?

                                    Following your question is difficult due to the translation confusion (I'm guessing English is a second language for you), but it sounds like maybe you need to scroll over to see the Message column on the ALERTS tab. What type of device are you using to view the pfSense GUI screens? If it has a small screen, you will need to scroll over to the right. It could also be that if you choose a non-standard theme that could cause scrolling problems.

                                    A screen capture of what you see on your device would be helpful in order to understand what is missing for you.

                                    1 Reply Last reply Reply Quote 0
                                    • I
                                      interessierter
                                      last edited by

                                      Jep, I hope it s not too bad.
                                      I m on the last pfsense version, and I use a 34 " screen. Scrolling in "all" directions does not change it. Maybe now you understand, why I was asking for lists to whitelist and help. With only this alerts it s really hard to find "good" traffic!

                                      99d1976a-e971-4f7d-87b8-8086a25ddffc-image.png

                                      bmeeksB 1 Reply Last reply Reply Quote 0
                                      • bmeeksB
                                        bmeeks @interessierter
                                        last edited by bmeeks

                                        @interessierter said in SNORT blocking too much:

                                        Jep, I hope it s not too bad.
                                        I m on the last pfsense version, and I use a 34 " screen. Scrolling in "all" directions does not change it. Maybe now you understand, why I was asking for lists to whitelist and help. With only this alerts it s really hard to find "good" traffic!

                                        99d1976a-e971-4f7d-87b8-8086a25ddffc-image.png

                                        I'm sorry, but I completely do not understand what you are asking for. Everything available from the alerting rules log is displayed on that screen. I mistakenly said Message column but the actual name is Description. I thought perhaps you were viewing on a mobile device and that column was scrolled off the screen. This tab shows alerts coming from the rules you have enabled. If you don't enable the rules (and necessary preprocessors), then no alerts can happen from those rules. Again, though, I really don't understand what you are trying to say is missing.

                                        The best guess I can come up with is you are really not experienced in intrusion detection systems, and if that is true, then Snort is not going to be fun for you. You need to learn about the technology first if this is new to you. You will need to learn the Snort rule syntax and then examine the text of triggering rules to determine what they are alerting on. Research on the rules vendor sites can also help. And learning about the technology requires lots of reading and studying on the web, or else take some classes.

                                        1 Reply Last reply Reply Quote 0
                                        • I
                                          interessierter
                                          last edited by

                                          Please go back the the fololowing URL: https://docs.netgate.com/pfsense/en/latest/ids-ips/setup-snort-package.html
                                          An the end of the article you see the ALERT section as discussed. The only difference is, that on this screenshot you have on the right side a information, that is request was related to Amazon, icloud what ever.

                                          For this information I m looking for

                                          bmeeksB 1 Reply Last reply Reply Quote 0
                                          • bmeeksB
                                            bmeeks @interessierter
                                            last edited by bmeeks

                                            @interessierter said in SNORT blocking too much:

                                            Please go back the the fololowing URL: https://docs.netgate.com/pfsense/en/latest/ids-ips/setup-snort-package.html
                                            An the end of the article you see the ALERT section as discussed. The only difference is, that on this screenshot you have on the right side a information, that is request was related to Amazon, icloud what ever.

                                            For this information I m looking for

                                            Oh, so you don't have the OpenAppID rules enabled? That's where that type of information comes from. Did you follow all of the steps in that article you linked? Sounds like you missed one if you are not seeing OpenAppID alerts (or else there is no traffic on your network matching those rules).

                                            To use OpenAppID you must do four things.

                                            1. On the GLOBAL SETTINGS tab enable the download of the OpenAppID Stub Detectors and the OpenAppID text rules (that's two different checkboxes) and save the change.

                                            2. On the PREPROCESSORS tab for the interface, enable the OpenAppID preprocessor and save the change.

                                            3. On the CATEGORIES tab for the interface, enable the OpenAppID rule categories that you want to use by checking the boxes and then saving the change.

                                            4. Restart Snort on that interface using the GUI icon on the INTERFACES tab.

                                            Note that the OpenAppID rules are not perfect. They were created by a volunteer maintainer in Brazil and are hosted by the pfSense team's infrastructure. I don't believe the maintainer has updated them in a while, so that means there is likely some types of traffic they will miss.

                                            Finally, a last warning, if you turn on OpenAppID rule blocking your life will be miserable if folks on your network routinely use social media and streaming apps. That's the type of traffic those rules are designed to detect and usually block. The rules are really designed for corporate enterprise networks where the management does not want the workers wasting work time on social media.

                                            Your question seems to have wandered from "snort is blocking too much" to "I want to see more info". If your original problem is Snort is blocking too much, then turning on OpenAppID is going to make it a whole lot worse! I suspect your real issue is several of the HTTP_INSPECT preprocessor rules are causing you grief when you have blocking enabled. Read through this very long thread to see some examples from more experienced users showing which rules are typically disabled: https://forum.netgate.com/topic/50708/suricata-snort-master-sid-disablesid-conf.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.