Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Teams client use of STUN blocks MicroSoft ~ Supressed?

    IDS/IPS
    3
    4
    2.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      WmArnold1
      last edited by WmArnold1

      Hello, I've been using pfSense/Snort/etc since 2017 at several locations and I'm presently on v 2.4.4_3 and 3.2.9.10_1

      Yesterday, my users couldn't get Teams Chat working and Google led me to the STUN/TURN server issue on ports 3478 thru 3481, which I confirmed and localized going into MicroSoft IP's 52.112.0.0/14 with the following three Alerts:

      1,2033078,2,"ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)",UDP..

      1,2016149,2,"ET INFO Session Traversal Utilities for NAT (STUN Binding Request)",UDP..

      1,2016150,2,"ET INFO Session Traversal Utilities for NAT (STUN Binding Response)",UDP..

      And I wrote three Snort suppress rules for these, which seem to be working; knock-on-wood..

      The problem is that I had to grep snort's raw alert log to even see the outgoing Alert/Drop records listed above and get the Gen_ID & Sig_ID. The Blocked page doesn't display ID's, and there's nothing shown at all on the WAN Alerts page

      WAN is the only interface I declared to Snort. Apparently, Snort still monitors outgoing traffic tho; should I declare the LAN interface to snort too? Just so I can see these alerts??

      I.E. is there an easier way to see outgoing snort issues? :-)

      Hopefully Yours; William

      Nothing is foolproof to a sufficiently talented fool

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @WmArnold1
        last edited by

        @wmarnold1 I haven't noticed missing alerts, and though we don't use Teams I have seen STUN blocks for a handful of webinar/conference sites. We do have Snort/Suricata on LAN, though, because that shows the LAN device's IP in the alerts log and most of the raw inbound traffic would have been blocked by firewall rule anyway.

        I've also seen bmeeks the package maintainer say that the ET Info and ET Policy rules are more for alerting as to the traffic and not for blocking bad traffic. YMMV but we found ourselves suppressing several and often just don't enable those.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        W 1 Reply Last reply Reply Quote 0
        • W
          WmArnold1 @SteveITS
          last edited by

          @steveits; thanks for the reply

          I had dual WAN's at this site until recently and I will start declaring LAN's for snort everywhere now so I can see and fix outgoing snort issues easier ~ thanks!

          I read somewhere that pfSense on BSD doesn't understand the distinction between ALERT and DROP records, so, it blocks both. I like considering Emerging Threats, for the most part

          Nothing is foolproof to a sufficiently talented fool

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @WmArnold1
            last edited by bmeeks

            @wmarnold1 said in Teams client use of STUN blocks MicroSoft ~ Supressed?:

            I read somewhere that pfSense on BSD doesn't understand the distinction between ALERT and DROP records, so, it blocks both. I like considering Emerging Threats, for the most part

            Let me set the record straight there. I think some information has gotten a bit confused as it moved around the web ... 🙂.

            IDS/IPS "blocking" is handled by either the Snort or Suricata add-on package when using pfSense. Each package offers two quite distinct blocking modes: Legacy Blocking Mode and Inline IPS Mode. There is quite a long Sticky Post at the top of this sub-forum describing the Inline IPS Mode for Snort. As part of that description, the post goes into the differences between Legacy Mode and Inline IPS Mode blocking. Here is a link: https://forum.netgate.com/topic/143812/snort-package-4-0-inline-ips-mode-introduction-and-configuration-instructions.

            When using Snort with Inline IPS Mode, you most certainly can mix and match rule actions such as ALERT and DROP. Rules with the ALERT action will only generate alert log entries and not block any traffic. Rules with the DROP action will generate alert log entries AND drop the offending packet(s) -- in effect "blocking" that traffic. When using Snort in Legacy Mode Blocking, any alert results in a block because the custom blocking module will insert the IP addresses pulled from alerts into the pf (packet filter) table snort2c. And any IP address inserted into that table is blocked by the firewall using a built-in hidden rule created by pfSense at boot up.

            Suricata works pretty much the same way, but it does offer one other option with Legacy Mode Blocking. It offers the option to "block on DROP only". That means only rules whose action is DROP will result in the IP addresses getting inserted into the snort2c table for blocking (Suricata uses the same built-in table that Snort uses).

            1 Reply Last reply Reply Quote 2
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.