Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Unknown snort rule

    IDS/IPS
    1
    2
    1107
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      GemeenAapje last edited by

      Hi all
      I'm new to pfSense and Snort but have spent the best part of a week playing with the system.

      Since adding Snort we've found lots of weird behaviour, like Netflix just stopping half-way through a movie etc.

      Looking at my logs I see many alerts for things I wouldn't expect - like it's blocking HTTPS for example.  The rule mentioned is nowhere to be found (Googled a lot before posting here).

      For example…
      07/21/17-09:35:29.838333 ,1,70856,1,"https",TCP,192.168.2.204,37191,52.33.113.251,443,56737,Misc activity,3,
      07/21/17-09:35:29.838333 ,1,70542,1,"netflix",TCP,192.168.2.204,37191,52.33.113.251,443,56737,Misc activity,3,
      07/21/17-09:35:29.838802 ,1,70856,1,"https",TCP,192.168.2.204,37191,52.33.113.251,443,56738,Misc activity,3,
      07/21/17-09:35:29.838802 ,1,70542,1,"netflix",TCP,192.168.2.204,37191,52.33.113.251,443,56738,Misc activity,3,
      07/21/17-09:35:29.839073 ,1,70856,1,"https",TCP,192.168.2.204,37191,52.33.113.251,443,56739,Misc activity,3,

      If I look for the rule numbers I cannot find them online.

      Why would HTTPS be being blocked? It makes no Pfsense ;-)

      Thanks

      Matt

      1 Reply Last reply Reply Quote 0
      • G
        GemeenAapje last edited by

        Found them!  OpenAppID rules, I had them all enabled.

        Logs cleared and back to normal

        ::)

        1 Reply Last reply Reply Quote 1
        • First post
          Last post