• Hi,

    i have just installed SNORT and configured as best as i can. It also run well for about 1 day, after that i recognized snort i blocking all traffic.
    After some researches it seems i got a new WAN IP from my provider and snort didnt recognize that new IP, so it blocked it.

    In Snort config i have checked all settings for allowing WAN IPs.

    I have also checked in System-Log if packages are reloaded, i also saw an entry there from Snort.

    Is there something i a missing or is there another way to restart snort on WAN IP Change?

  • Solved, there were some False Positive Alerts which leaded to that Problem.

  • Hi, I found I have the same problem. I wasn't sure but today internet suddenly stopped when I was online and I found PPPoE is down because WAN IP changed. What happened is: Snort detected new IP connected to website IP I was browsing 5 minutes ago as "port sweep"  and effectively blocked my new WAN IP together with all internet taking down VoiP and Internet radio tuner.

    I like to know how to mitigate such problem correctly because next time it can be other false positive or rule trigger same outage.
    Is any rule can be added to whitelist WAN IP as alias?

Log in to reply