Snort and TeamSpeak3 = will make snort ban all my teamspeak users.



  • Version of PFSENSE: 1.2.3-RELEASE

    Hi.

    I been forced to turn off snort until I get a solution. Snort is banning my teamspeak3 users.

    The Ban is not triggerd directly first after some time.

    How can I disabable the rule that trigger bans on my Teamspeak 3 users?

    I tried adding Suppress rules but dosent work:
    suppress gen_id 122, sig_id 22
    suppress gen_id 122, sig_id 24

    Would love to get some help with this problem.

    –----------------------------------------------------
    BAN LOG: (portscan) UDP Filtered Distributed Portscan


    PRI PROTO DESCRIPTION CLASS SRC SPORT FLOW DST DPORT SID Date

    1 3 PROTO:255 (portscan) UDP Filtered Decoy Portscan Prep 19.18.4.74 empty -> 187.9.48.16 empty 122:22:0 01/29-23:05:33

    4 3 PROTO:255 (portscan) UDP Filtered Distributed Portscan Prep 89.1.14.3 empty -> 187.9.48.16 empty 122:24:0 01/29-03:09:34



  • That's not a rule but the portscan preprocessor. You need to disable the preprocessor, though I'm not sure how to do that with pfSense.



  • To completely turn off that alert type;
    Go to the snort tab called "snort_preprocessors.php", then uncheck the "Portscan Detection" option.
    Thats all you have to do.

    The suppress rule you posted looks good to me. Did you remember to save/restart the snort interface ?

    James



  • Yes I can disable the portscan under preprocessors but its not a good solution I think.
    Still the only thing that works, my suppress rules do nothing (even after restarts)

    I wish I only could disable all alerts on port xxxx

    Would be awsome to be able to exclude some ports from all kind of checks.

    Then I could be able to protect myself from portscanners. (now I can't if I need teamspeak3 on my server)

    Will there be any solution for this for next version ?



  • gen-msg.map File says were using the right sids.

    Oh I forgot to mention, try flipping the numbers.

    suppress gen_id 22, sig_id 122
    suppress gen_id 22, sig_id 122

    James



  • @jamesdean:

    gen-msg.map File says were using the right sids.

    Oh I forgot to mention, try flipping the numbers.

    suppress gen_id 22, sig_id 122
    suppress gen_id 22, sig_id 122

    James

    Sorry it diden't work to change the supress rule, still banning the users. Only thing that works is to disable Portscan Detection :(



  • is there no solution to this problem ?  :-\



  • If you know all their IP addresses or a IP range, add it to the whitelist. I do this for my work's IP range and it works like a charm. If it didn't, I wouldnt be able to OpenVPN because a block rule would be auto-created because of the portscan preprocessor.



  • @Cino:

    If you know all their IP addresses or a IP range, add it to the whitelist. I do this for my work's IP range and it works like a charm. If it didn't, I wouldnt be able to OpenVPN because a block rule would be auto-created because of the portscan preprocessor.

    Whitelisting is a crazy thing todo if you ask me. You never know what other people got on there computers.


Log in to reply