Snort and TeamSpeak3 = will make snort ban all my teamspeak users.
-
Version of PFSENSE: 1.2.3-RELEASE
Hi.
I been forced to turn off snort until I get a solution. Snort is banning my teamspeak3 users.
The Ban is not triggerd directly first after some time.
How can I disabable the rule that trigger bans on my Teamspeak 3 users?
I tried adding Suppress rules but dosent work:
suppress gen_id 122, sig_id 22
suppress gen_id 122, sig_id 24Would love to get some help with this problem.
–----------------------------------------------------
BAN LOG: (portscan) UDP Filtered Distributed Portscan
PRI PROTO DESCRIPTION CLASS SRC SPORT FLOW DST DPORT SID Date
1 3 PROTO:255 (portscan) UDP Filtered Decoy Portscan Prep 19.18.4.74 empty -> 187.9.48.16 empty 122:22:0 01/29-23:05:33
4 3 PROTO:255 (portscan) UDP Filtered Distributed Portscan Prep 89.1.14.3 empty -> 187.9.48.16 empty 122:24:0 01/29-03:09:34
-
That's not a rule but the portscan preprocessor. You need to disable the preprocessor, though I'm not sure how to do that with pfSense.
-
To completely turn off that alert type;
Go to the snort tab called "snort_preprocessors.php", then uncheck the "Portscan Detection" option.
Thats all you have to do.The suppress rule you posted looks good to me. Did you remember to save/restart the snort interface ?
James
-
Yes I can disable the portscan under preprocessors but its not a good solution I think.
Still the only thing that works, my suppress rules do nothing (even after restarts)I wish I only could disable all alerts on port xxxx
Would be awsome to be able to exclude some ports from all kind of checks.
Then I could be able to protect myself from portscanners. (now I can't if I need teamspeak3 on my server)
Will there be any solution for this for next version ?
-
gen-msg.map File says were using the right sids.
Oh I forgot to mention, try flipping the numbers.
suppress gen_id 22, sig_id 122
suppress gen_id 22, sig_id 122James
-
gen-msg.map File says were using the right sids.
Oh I forgot to mention, try flipping the numbers.
suppress gen_id 22, sig_id 122
suppress gen_id 22, sig_id 122James
Sorry it diden't work to change the supress rule, still banning the users. Only thing that works is to disable Portscan Detection :(
-
is there no solution to this problem ? :-\
-
If you know all their IP addresses or a IP range, add it to the whitelist. I do this for my work's IP range and it works like a charm. If it didn't, I wouldnt be able to OpenVPN because a block rule would be auto-created because of the portscan preprocessor.
-
If you know all their IP addresses or a IP range, add it to the whitelist. I do this for my work's IP range and it works like a charm. If it didn't, I wouldnt be able to OpenVPN because a block rule would be auto-created because of the portscan preprocessor.
Whitelisting is a crazy thing todo if you ask me. You never know what other people got on there computers.