Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort: Facebook and Portscan Blocking

    Scheduled Pinned Locked Moved IDS/IPS
    1 Posts 1 Posters 258 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      justme2
      last edited by

      All,

      Has anyone encountered over the past few weeks (starting early August) that Snort (even on low sensitivity for portscan config) is regularly blocking certain Facebook server IPs (edge-*-shv-##-iad#.facebook.com). The limited information on these suggests that they are part of the 3rd party website [visit] tracking, but are required when users use/access Facebook? Occurs sporadically - have not been able to forcibly re-create, but occurs several times per week. Sometimes a day or two goes by without it occurring and then it might occur a couple times in one day.

      Reference Log information:

      • 122,17,1,"(portscan) UDP Portscan"
      • Attempted Information Leak,2,alert,Allow

      Unfortunately, the ability to simply 'click' on the rule link (via alerts window) appears to be no longer valid - removing the 'easy' means to more readily determine what is happening.

      Seems rather odd (if not unexpected) and wondered if anyone else had encountered this, as well.

      FWIW - use of Facebook aside, the fact that Snort perceives this as an inbound 'portscan' is what garnered attention.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.