Snort "WEBROOT DIRECTORY TRAVERSAL" from my network

mtrade

I get blocked traffic for 119:18 with the Source IP in my network. This started a few months ago and is my Roku when I try to start most Disney Marvel series episodes.
The destination seems to always be Fastly 151.101.0.0 - 151.101.255.255 or Akamai 23.47.48.0 - 23.47.63.255.
I run Snort on my Lan and Wan interfaces. I've been getting around this with a suppress rule suppress gen_id 119, sig_id 18 that I uncomment when its show time, long enough to get the Disney splash screen, then comment back.

I checked for updates for the Roku but it's current. Does anyone have a suggestion about what might be happening here or what I should do?

SteveITS

@mtrade Sounds like a request the Roku is making?
https://seclists.org/snort/2012/q4/395

You can suppress the rule for the Roku IP, from the Alerts tab.

Running Snort twice will scan packets twice, and also since it runs outside the firewall it will scan inbound packets that will be immediately blocked.

mtrade

@SteveITS I believe the Roku device is doing this, or something programmed into the Disney app. I have a wifi access point and the Lan Alerts show the IP of that device, but it definitely kicks off when I hit play on the movie. It seems weird and I don't want to suppress indefinitely without understanding if it is real or a false positive.
Are you suggesting disabling snort on my Lan interface and just keeping the Wan running?

bmeeks

@mtrade said in Snort "WEBROOT DIRECTORY TRAVERSAL" from my network:

Are you suggesting disabling snort on my Lan interface and just keeping the Wan running?

A home network almost never needs an IDS/IPS running on both the WAN and LAN. And as @SteveITS mentioned, there is very little point in running an IDS/IPS instance on your WAN interface because the way the FreeBSD network plumbing works the IDS/IPS sees packets BEFORE the firewall does. That means you waste CPU cycles in the IDS/IPS scanning inbound traffic from the Internet that the default firewall rules are going to drop anyway (the default is to drop all unsolicited inbound traffic).

You don't run an IDS/IPS to protect the firewall. You run it for hosts on your internal networks. The firewall is plenty secure enough to take care of itself . You should remove the Snort instance on your WAN and recover that processing power and RAM. Run Snort only on your internal interfaces (LAN and DMZ perhaps).

As for the rule you mention, that sounds like an HTTP_INSPECT preprocessor rule. Probably this one: https://www.snort.org/rule_docs/119-18. That entire category of rules is meant for "information only" and does not necessarily indicate a threat. In fact, most folks will be much better off these days on the modern web totally disabling all of the HTTP_INSPECT rules as they false-positive very frequently with modern web traffic.

mtrade

@bmeeks
Thanks for the tips,
I disabled the Wan Snort interface and added a suppress by src for that preprocessor rule. I appreciate your help.