Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Portscan Detection - Blocking VoIP

    Scheduled Pinned Locked Moved pfSense Packages
    7 Posts 3 Posters 4.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      asterix
      last edited by

      As the topic says Squid Portscan Detection when enabled blocks my VoIP ISP in a few seconds. Seems the ISP has multiple servers to which PAP2T ATA connects at different times. So for the time being I have Portscan Detection disabled.

      Is there a solution to this?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Do you mean snort and not squid? You might want to correct the title of the thread if that is the case.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          VoIP traffic will trip Snort's port scan rules if you have at least several phones, you'll just have to disable those rules.

          1 Reply Last reply Reply Quote 0
          • A
            asterix
            last edited by

            Thanks for correcting my topic from Squid to Snort.

            I have no voip rules enabled.

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              It's not any of the VoIP rules, it's the port scan rules being triggered by RTP generally.

              1 Reply Last reply Reply Quote 0
              • A
                asterix
                last edited by

                OK. So whats the fix for it?

                Is disabling port scan the only option? Doesn't it kinda beats the purpose?

                1 Reply Last reply Reply Quote 0
                • C
                  cmb
                  last edited by

                  Yes you have to disable the port scan rule it's triggering, which is the UDP port scan rule IIRC. RTP in volume looks like a UDP port scan. Some manual hacking of the rule to make it less prone to those false positives may suffice. That's more a question for Sourcefire, we don't have any involvement with the rules.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.