Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SpeedTest logging server + pfsense with Snort

    Scheduled Pinned Locked Moved
    IDS/IPS
    2
    3
    212
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bavcon22
      last edited by

      How to make optimal configuration in snort to exclude SpeeedTest alerts?
      I just setup and configured Snort for package inspection and now I have a lot of alerts when I run SpeedTest from ookla on Raspberry Pi with IrfanDB and Grafana.
      When SpeedTest runs he "call" a great number of servers and all has its own upload and download alerts. For now I put all this alerts in Suppress section and the list is bigger and bigger. If I suppress the rule I will have a security issue. Is another way to solve this situation?

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @bavcon22
        last edited by

        @bavcon22 What are the alerts? I would not expect a speed test to trigger anything.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        B 1 Reply Last reply Reply Quote 0
        • B
          bavcon22 @SteveITS
          last edited by

          @steveits I collect descriptions from suppress file:

          1. (http_inspect) PROTOCOL-OTHER HTTP server response before client 120:18
          2. (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE 120:3
          3. (http_inspect) UNESCAPED SPACE IN HTTP URI 119:33
          4. (http_inspect) BARE BYTE UNICODE ENCODING 119:4
            All alerts has it's own GID:SID

          I know that alerts are from SpeedTest because I have done an extensive test.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post