Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Balanced and Rule 140:27 in Snort

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 479 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Artefakt
      last edited by

      Hi,
      I have selected the "Balanced" rule set in Snort (4.1.6_9), pfsense 2.7.
      However, the rule 140:27 always interferes with my internal PBX, which communicates to several providers via SIP. (pfSense is correct configured as it shown in the voip Hangout)

      If I delete the block in the Blocked area and click on the red cross in the "Alerts" area, I would have solved the problem, or so I thought. The phone system works again.
      A few days later the same thing happens again. Apparently it only stays active until the rules are reloaded via update.
      In the passlist I already have known servers from the providers listed, but apparently they are IPs I don't know.

      When selecting a rule set like "Balanced", how can I still permanently delete a rule like 140:27?

      Thank you.

      Arti.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        This is a known bug that has been fixed. Unfortunately the pfSense package builders currently have a problem and the "fixed" package has not been copied over to the CE package repo from the builder server. The fix is available in the pfSense Plus repo.

        This has been reported to the Netgate team and they verified receipt of the report, but thus far the repo replication issue is not resolved. Once the repo replication issue is fixed, you will see a Snort 4.1.6_11 package appear in the CE branch, and that new version contains the fix you need.

        The fixed PHP source code file is available here if you are handy with PHP programming and copying/pasting: https://github.com/pfsense/FreeBSD-ports/blob/devel/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_alerts.php.

        Here is another thread about this issue: https://forum.netgate.com/topic/183190/snort-4-1-6_10-package-update-is-broken-do-not-install-it-a-fix-is-coming-in-4-1-6_11/13.

        A 1 Reply Last reply Reply Quote 0
        • A
          Artefakt @bmeeks
          last edited by

          @bmeeks Dear bmeeks,

          thank you for this info. I will wait for the update.

          Greetings, Arti.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.