Snort screwing up VoIP states



  • I'm running Snort 2.8.5.3 ver 1.24 on pfSense ver 1.2.3 Release.  Hardware is Intel Dual Core E5300 @2.6 GHz w/4 gigs of memory.  Nics are Intel gig cards (em).  Running a couple of VLANs to separate data & VoIP.  WAN is connected to Cisco 1841 connected to T1 from AT$T.

    VoIP net consists of 7 Polycom IP650's using OnSip for hosted PBX.  pfSense is configured for Manual outbound NAT, firewall optimization is set to "Conservative".  Firewall rule set to allow all traffic from OnSip (66.227.100.0/23).  Static Port Mapping is set to "NO" (I know other people insist that you have to have this set to "YES" but this system has worked fine without it).

    Only other packages installed are Dashboard & Rate.

    This system has worked without problems for a year and a half.  In that time I've always used Snort w/basic Oink code rules and whitelisted OnSip.

    Since ver 1.22 of Snort VoIP communications constantly get disconnected if Snort is installed.  Checking "States" under "Diagnostics" shows that all but a couple of the phone sets have dropped their "multiple:multiple" states where normally I would see all 7 Polycom IP's listed as "multiple:multiple".  pfSense reboot does not solve the problem.  Only way to get the phone system back up 100% is to remove Snort.  Snort shows no Alerts or blocking of incoming or outgoing connections to OnSip.  No errors is the system log either.

    I have installed Snort 3 times since Thursday and everytime I do the phone system goes down within 30-45 minutes.  Un-install Snort and the phones work (until I try to install Snort again).

    The following rule sets are enabled:

    snort_attack-responses.rules
    snort_backdoor.rules
    snort_bad-traffic.rules
    snort_bad-traffic.so.rules
    snort_content-replace.rules
    snort_exploit.rules
    snort_exploit.so.rules
    snort_p2p.rules
    snort_p2p.so.rules
    snort_shellcode.rules
    snort_specific-threats.rules
    snort_spyware-put.rules
    snort_virus.rules
    snort_voip.rules
    snort_web-activex.rules
    snort_web-activex.so.rules
    snort_web-attacks.rules
    snort_web-cgi.rules
    snort_web-client.rules
    snort_web-client.so.rules
    snort_web-coldfusion.rules
    snort_web-misc.rules
    snort_web-misc.so.rules
    snort_web-php.rules

    I haven't tried disabling the snort_voip.rules yet as when this happens I don't really have but a minute to try to get the phone systems back up and running.  One thing: when I install Snort at night when the business is closed all phone states remain normal.  Only when they are starting to be used when the business opens each morning does the problem occur.

    I have the same set up at 3 other locations but each of these locations only have 1 VoIP phone to deal with and I have not seen any problems with them.



  • Did you check the snort blocked list?  Is it giving a false positive and blocking the provider?



  • Did you check the snort blocked list?  Is it giving a false positive and blocking the provider?

    Snort shows no Alerts or blocking of incoming or outgoing connections to OnSip.  No errors is the system log either.



  • @jamesdean:

    See your PM TreeTopFlyer

    James

    Please clue us in guys.  My voip authentication server is in my whitelist but it is getting put in the block list anyway.



  • James and I are working on it as I type, but one thing so far is if you have enabled the "portscan" under preprocessors you might want to disable it and see if that helps.

    Edit: We have also upgraded to ver 1.25 over night



  • Thanx to TreeTopFlyer  I was able to figure out the whitelist issue.

    I going to recode and I will have the issue fixed I soon as I am free.

    James


Log in to reply