Snort results in no internet traffic

  • I am using 2.0 beta 3 latest release. I add the snort package.  I have a Comcast 50M connection at home.  I fire up bittorrent to max out my bandwidth and within several minutes, i lose internet connectivity.  With snort running, all is fine.  Any ideas?

  • Based on the subject line I'm going to "assume" you meant "WITHOUT Snort running, all is fine".

    What type of NIC's are you using?  Torrent connections can really show the weakness in NIC's.  If you're using Realtek chipset based NIC's they're almost guaranteed to fail in this situation.

    What error messages are showing up in the logs?  Is the Snort Blocked list filling up?

  • In my single snort installation I've seen HOME_NET addrs getting blocked when I wouldn't expect they should be - maybe that's what's happening to you?  See,26542.0.html for a little more detail.

    I had to add the entire set of HOME_NET ip addrs to a whitelist in order to stop it from blocking them (though not nearly as large of aggregates as I mentioned in that post, I got the whitelist size down to a lot fewer hosts).

  • I don't really think trying to Whitelist something as dynamic as torrent connections is really the answer.  It's probably possible but not something I would want to attempt.  A dog chasing his tail comes to mind.  ;)

    As for the whitelist feature, as long as you enter individual IP addresses it should work, but based on my last conversation with James Dean, entering blocks of IP addresses in CIDR notation will not work.  I know James was working on this problem but he's been busy and so have I so I haven't kept up with it.  The temp answer has been to use the suppression settings.

    I don't think this is the OP's issue.

  • I switched nic's and so far so good.  I still have some testing to do.  thanks

Log in to reply