Snort preprocessor blocking but nothing in alerts
-
Hi everyone
My preprocessor snort package is blocking WAN or OPT1 address few times a day.
Blocked addresses tab is looking like this:3 xxx.xxx.xxx.xxx (http_inspect) DOUBLE DECODING ATTACK
4 xxx.xxx.xxx.xxx FTP Bad login
5 xxx.xxx.xxx.xxx (spp_rpc_decode) Incomplete RPC segment
6 xxx.xxx.xxx.xxx (ftp_telnet) FTP bounce attemptBut I haven't that on "Alerts" tab, so I don't know how to suppress that alerts (what sid, src, dst etc.).
I have loadbalancing rule in firewall. Mabye it's connected?
What can I do?Best Regards
Mateusz Blaszka -
What pfsense version are you running? If it's v.2 Beta, check Snort > Alerts tab if the "Default is On" option is ticked.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.