Snort alerts when logged in to network via VPN



  • I'm running pfSense 2.3.4-RELEASE, with snort 3.2.9.2_16.  Snort is set up on the LAN interface.  I've got OpenVPN set up so I can log in to the local network when I'm on the road.  I was on the road the last couple of days, and noted some new snort alerts that have me puzzled.

    I got several 1:2018373 ET CURRENT_EVENTS Malformed HeartBeat Response alerts with the SRC as my FreeNAS server, on port 548, and the DST as the OpenVPN IP (I was logged in via my laptop).

    I also had one alert with 1:2018372 ET CURRENT_EVENTS Malformed HeartBeat Request with the SRC as the OpenVPN IP and the DST as the FreeNAS box on port 548.

    The FreeNAS box is serving some AFP shares (port 548).

    I'm baffled why I would be getting these alerts, and only when using the VPN.  I looked at the SID suppression list I'm using, and I don't see those alerts suppressed for the LAN, so I would have expected to be getting them all the time, if there was something that would trigger them.

    Any thoughts appreciated.

    Thanks.



  • Some guesses on my part –

    Something on your laptop was maybe trying to swap some AFP share info with FreeNAS.  That would not really be unexpected if you also use the laptop at home on the LAN.

    When you are home and everything is within your LAN, Snort will not necessarily be seeing NAS-to-laptop traffic as everything would be switched at layer 2 by your network switch.  So no alerts then if Snort and firewall does not see the traffic.

    When you are on the road, Snort sees everything on the VPN as it comes in from the WAN and gets sent on to the LAN.

    As for the alert itself, it could very well just be some kind of false positive in your setup.  Maybe some fragmentation is/was happening on the VPN side ???

    Bill



  • @bmeeks:

    Some guesses on my part –

    Something on your laptop was maybe trying to swap some AFP share info with FreeNAS.  That would not really be unexpected if you also use the laptop at home on the LAN.

    When you are home and everything is within your LAN, Snort will not necessarily be seeing NAS-to-laptop traffic as everything would be switched at layer 2 by your network switch.  So no alerts then if Snort and firewall does not see the traffic.

    When you are on the road, Snort sees everything on the VPN as it comes in from the WAN and gets sent on to the LAN.

    As for the alert itself, it could very well just be some kind of false positive in your setup.  Maybe some fragmentation is/was happening on the VPN side ???

    Bill

    You are right of course that snort would not see this traffic if I was home.  The alert must be a false positive.  I'll suppress it.

    Thanks for all the work you do on the snort package.