Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    SNORT Dynamic WAN IP

    IDS/IPS
    2
    3
    359
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      saduccm last edited by

      Hi,

      i have just installed SNORT and configured as best as i can. It also run well for about 1 day, after that i recognized snort i blocking all traffic.
      After some researches it seems i got a new WAN IP from my provider and snort didnt recognize that new IP, so it blocked it.

      In Snort config i have checked all settings for allowing WAN IPs.

      I have also checked in System-Log if packages are reloaded, i also saw an entry there from Snort.

      Is there something i a missing or is there another way to restart snort on WAN IP Change?

      1 Reply Last reply Reply Quote 0
      • S
        saduccm last edited by

        Solved, there were some False Positive Alerts which leaded to that Problem.

        1 Reply Last reply Reply Quote 0
        • G
          gryest last edited by

          Hi, I found I have the same problem. I wasn't sure but today internet suddenly stopped when I was online and I found PPPoE is down because WAN IP changed. What happened is: Snort detected new IP connected to website IP I was browsing 5 minutes ago as "port sweep"  and effectively blocked my new WAN IP together with all internet taking down VoiP and Internet radio tuner.

          I like to know how to mitigate such problem correctly because next time it can be other false positive or rule trigger same outage.
          Is any rule can be added to whitelist WAN IP as alias?
          Thanks

          1 Reply Last reply Reply Quote 0
          • First post
            Last post