Unknown snort rule
-
Hi all
I'm new to pfSense and Snort but have spent the best part of a week playing with the system.Since adding Snort we've found lots of weird behaviour, like Netflix just stopping half-way through a movie etc.
Looking at my logs I see many alerts for things I wouldn't expect - like it's blocking HTTPS for example. The rule mentioned is nowhere to be found (Googled a lot before posting here).
For example…
07/21/17-09:35:29.838333 ,1,70856,1,"https",TCP,192.168.2.204,37191,52.33.113.251,443,56737,Misc activity,3,
07/21/17-09:35:29.838333 ,1,70542,1,"netflix",TCP,192.168.2.204,37191,52.33.113.251,443,56737,Misc activity,3,
07/21/17-09:35:29.838802 ,1,70856,1,"https",TCP,192.168.2.204,37191,52.33.113.251,443,56738,Misc activity,3,
07/21/17-09:35:29.838802 ,1,70542,1,"netflix",TCP,192.168.2.204,37191,52.33.113.251,443,56738,Misc activity,3,
07/21/17-09:35:29.839073 ,1,70856,1,"https",TCP,192.168.2.204,37191,52.33.113.251,443,56739,Misc activity,3,If I look for the rule numbers I cannot find them online.
Why would HTTPS be being blocked? It makes no Pfsense ;-)
Thanks
Matt
-
Found them! OpenAppID rules, I had them all enabled.
Logs cleared and back to normal
::)