Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort "WEBROOT DIRECTORY TRAVERSAL" from my network

    Scheduled Pinned Locked Moved
    IDS/IPS
    3
    5
    368
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mtrade
      last edited by

      I get blocked traffic for 119:18 with the Source IP in my network. This started a few months ago and is my Roku when I try to start most Disney Marvel series episodes.
      The destination seems to always be Fastly 151.101.0.0 - 151.101.255.255 or Akamai 23.47.48.0 - 23.47.63.255.
      I run Snort on my Lan and Wan interfaces. I've been getting around this with a suppress rule suppress gen_id 119, sig_id 18 that I uncomment when its show time, long enough to get the Disney splash screen, then comment back.

      I checked for updates for the Roku but it's current. Does anyone have a suggestion about what might be happening here or what I should do?

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @mtrade
        last edited by

        @mtrade Sounds like a request the Roku is making?
        https://seclists.org/snort/2012/q4/395

        You can suppress the rule for the Roku IP, from the Alerts tab.

        Running Snort twice will scan packets twice, and also since it runs outside the firewall it will scan inbound packets that will be immediately blocked.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        M 1 Reply Last reply Reply Quote 0
        • M
          mtrade @SteveITS
          last edited by

          @SteveITS I believe the Roku device is doing this, or something programmed into the Disney app. I have a wifi access point and the Lan Alerts show the IP of that device, but it definitely kicks off when I hit play on the movie. It seems weird and I don't want to suppress indefinitely without understanding if it is real or a false positive.
          Are you suggesting disabling snort on my Lan interface and just keeping the Wan running?

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @mtrade
            last edited by bmeeks

            @mtrade said in Snort "WEBROOT DIRECTORY TRAVERSAL" from my network:

            Are you suggesting disabling snort on my Lan interface and just keeping the Wan running?

            A home network almost never needs an IDS/IPS running on both the WAN and LAN. And as @SteveITS mentioned, there is very little point in running an IDS/IPS instance on your WAN interface because the way the FreeBSD network plumbing works the IDS/IPS sees packets BEFORE the firewall does. That means you waste CPU cycles in the IDS/IPS scanning inbound traffic from the Internet that the default firewall rules are going to drop anyway (the default is to drop all unsolicited inbound traffic).

            You don't run an IDS/IPS to protect the firewall. You run it for hosts on your internal networks. The firewall is plenty secure enough to take care of itself 😀. You should remove the Snort instance on your WAN and recover that processing power and RAM. Run Snort only on your internal interfaces (LAN and DMZ perhaps).

            As for the rule you mention, that sounds like an HTTP_INSPECT preprocessor rule. Probably this one: https://www.snort.org/rule_docs/119-18. That entire category of rules is meant for "information only" and does not necessarily indicate a threat. In fact, most folks will be much better off these days on the modern web totally disabling all of the HTTP_INSPECT rules as they false-positive very frequently with modern web traffic.

            M 1 Reply Last reply Reply Quote 1
            • M
              mtrade @bmeeks
              last edited by

              @bmeeks
              Thanks for the tips,
              I disabled the Wan Snort interface and added a suppress by src for that preprocessor rule. I appreciate your help.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post