"Block snort2c hosts" blocking http traffic for LAN clients

Xentrk

For the past year, I've had all traffic on the LAN go thru the VPN tunnel.  Everything worked great.

I recently created firewall rules on the LAN to route some clients over the WAN interface and others over the VPN interface.  The clients that go thru the VPN interface are fine.  The issue is with the clients that go thru the WAN interface.  The firewall is blocking http traffic for these clients.  https traffic is okay.  When I go to the firewall system log and click on the "x", I see this message:

@51(1000000118) block drop log quick from any to snort2c:10label "Block snort2c hosts"

I am running both suricata and snort.  Turning off both of them does not fix the problem. However, if I reboot the router, there is a three minute window where the http traffic can get thru to the WAN from the LAN before it gets blocked.

I am not sure how to fix this issue. I went back thru the pfsense docs for snort and created a pass list for LAN clients and implemented it. But it did not work. Plus, the default list should have handled this situation. So I removed it.

I hope that someone can help point me in the right direction.

Thank You!

–------UPDATE-------
I have http traffic flowing on the LAN interface now.  What I did was stopped Suricata WAN Interface (LAN is set to monitoring only).  I browsed to the http sites and they worked.  I then went back into Suricata WAN gui page, disabled logging for DNS, Stats and TLS, which are the defaults. I then enabled and saved.  I was still able to browse the http sites that were blocked even though I had enabled Suricata.  I don't see anymore block entries in the firewall logs.

This fix makes no sense to me.  I am hesitant to claim a solution until this has been up and running awhile without further blocks. I will take some time to review the rules again. </snort2c:10>

Xentrk

Just as I suspected, the fix did not stick  :-\

I find if I disable snort and suricata AND…go to Diagnostics, Tables and select the table snort2c from the drop down list, then purge the table contents, I can get web browsing working again for http sites.  I need to read more about snort and suricata to understand the rule that is throwing this block for legitimate traffic and how to stop it.  Also, I saw a recommendation that I should not be running both IDS/IPS solutions at the same time.

I never had this issue when I ran all traffic thru the VPN clients.  This mess began when I started routing some LAN traffic to the WAN.  It is preventing me from going 100% pfSense for the time being in my house. I hope my research will be successful and I can find out how to fix the rule(s) that is blocking legit http traffic from LAN to WAN interface.

I also see new blocks for valid traffic:
@9(1000000103) block drop in log inet all label "Default deny rule IPv4

I tried turning off snort and leave suricata running when these blocks appeared.

So, right now, no IDS/IPS is running on my pfSense install. Ugh!

Xentrk

I now have Suricata running in blocking mode using the settings on this fine video from Lawrence Systems

Suricata Network IDS/IPS System Installation, Setup and How To Tune The Rules & Alerts on pfSense

https://www.youtube.com/watch?v=KRlbkG9Bh6I

So far so good.  Snort is turned off and I will probably remove the package if things stabilize for me.  I think the reason I had no issues before is all my traffic was thru the vpn tunnel.  And I only had the Snort and Suricata interfaces turned on for the WAN.

Xentrk

I started having some other issues with traffic blocking for ipv4 traffic later on. I restored pfSense to an earlier version that did not give me any issues. I then uninstalled snort and put suricata in monitor mode only, then rebooted. Things appear to be going okay now and I am no longer seeing any blocks to valid websites. Keeping my fingers crossed.

bmeeks

@Xentrk:

I started having some other issues with traffic blocking for ipv4 traffic later on. I restored pfSense to an earlier version that did not give me any issues. I then uninstalled snort and put suricata in monitor mode only, then rebooted. Things appear to be going okay now and I am no longer seeing any blocks to valid websites. Keeping my fingers crossed.

Your rules need "tuning" to eliminate false positives.  There will be a lot of them with either package, but Snort's HTTP_INSPECT preprocessor is notorious for false positives on modern web sites.  The problem is really with the web sites not always following established standards, but that does not mean they are "bad".  So you have to look at the alerts (blocks) and determine if it is a likely false positive.  If so, you either disable or suppress that rule and alert.  Lots of information with suggested suppress lists is in another thread on this sub-forum.  I believe it is titled "Taming the Beast…".  While specifically about Suricata, there are Snort applicable comments in there as well.

Bill

Xentrk

Thanks for the reply Bill. You confirmed the path I need to take. After my post, I did more research and realized it will take time to tune and learn more about suricata. Thank you for the tip on the forum posting "Taming the Beast".  I will definitely visit that post. I gave google a workout with my searches on suricata but never did come across that thread.

The reason I did not get impacted until now is I had suricata turned on the WAN interface. Yet, all of my browsing was done on the VPN inteface. My problems only started when testing web browsing over the native WAN interface. That is when the rules started impacting me.  I have some users in the family that want native WAN while the rest of us want VPN to USA 100 percent of the time. I am trying to reduce my router foot print and go 100 percent pfSense.  I think I have things stable now that suricata is turned off.  I noticed my disk space started growing.  For next steps, I plan to do some more reading on the pfSense forum and other resources to learn all I can about suricata before I start testing it again. Thanks again for the advice and help!

bmeeks

@Xentrk:

Thanks for the reply Bill. You confirmed the path I need to take. After my post, I did more research and realized it will take time to tune and learn more about suricata. Thank you for the tip on the forum posting "Taming the Beast".  I will definitely visit that post. I gave google a workout with my searches on suricata but never did come across that thread.

The reason I did not get impacted until now is I had suricata turned on the WAN interface. Yet, all of my browsing was done on the VPN inteface. My problems only started when testing web browsing over the native WAN interface. That is when the rules started impacting me.  I have some users in the family that want native WAN while the rest of us want VPN to USA 100 percent of the time. I am trying to reduce my router foot print and go 100 percent pfSense.  I think I have things stable now that suricata is turned off.  I noticed my disk space started growing.  For next steps, I plan to do some more reading on the pfSense forum and other resources to learn all I can about suricata before I start testing it again. Thanks again for the advice and help!

For the disk space growing issue, make sure all the automatic Log Management functions are turned on the LOGS MGMT tab.  They will auto-rotate and delete logs based on values set on that tab.  You can adjust the limits to match the size of your disk.  Suricata can be a "chatty" logger.

Bill