Unknown snort rule



  • Hi all
    I'm new to pfSense and Snort but have spent the best part of a week playing with the system.

    Since adding Snort we've found lots of weird behaviour, like Netflix just stopping half-way through a movie etc.

    Looking at my logs I see many alerts for things I wouldn't expect - like it's blocking HTTPS for example.  The rule mentioned is nowhere to be found (Googled a lot before posting here).

    For example…
    07/21/17-09:35:29.838333 ,1,70856,1,"https",TCP,192.168.2.204,37191,52.33.113.251,443,56737,Misc activity,3,
    07/21/17-09:35:29.838333 ,1,70542,1,"netflix",TCP,192.168.2.204,37191,52.33.113.251,443,56737,Misc activity,3,
    07/21/17-09:35:29.838802 ,1,70856,1,"https",TCP,192.168.2.204,37191,52.33.113.251,443,56738,Misc activity,3,
    07/21/17-09:35:29.838802 ,1,70542,1,"netflix",TCP,192.168.2.204,37191,52.33.113.251,443,56738,Misc activity,3,
    07/21/17-09:35:29.839073 ,1,70856,1,"https",TCP,192.168.2.204,37191,52.33.113.251,443,56739,Misc activity,3,

    If I look for the rule numbers I cannot find them online.

    Why would HTTPS be being blocked? It makes no Pfsense ;-)

    Thanks

    Matt



  • Found them!  OpenAppID rules, I had them all enabled.

    Logs cleared and back to normal

    ::)