Snort blocking remote staff when checking email with Outlook

djmime · Sep 22, 2011, 7:25 AM

yes it still is i dunt have to macth time to play with it i will try on the weekand
thanks

djmime · Sep 24, 2011, 1:39 PM

OK I am lost can't figure this out need sum help ?

Cry Havok · Sep 24, 2011, 8:17 PM

Start by unticking "Block offenders" in the interface settings. That will give you time to get to the bottom of why you're having problems disabling that rule.

Also, can you post a screenshot of the Advanced configuration pass through section please.

vito · Sep 25, 2011, 1:58 AM

i rebooted my fw this morning and did not have a problem till about an hour ago
nothing in my adv config section.

Cry Havok · Sep 25, 2011, 8:58 AM

Then Snort isn't doing any blocking, something else is your problem.

vito · Sep 25, 2011, 12:21 PM

@Cry:

Then Snort isn't doing any blocking, something else is your problem.

Then what should be in there? I do not recall anything in the adv config box and Snort appears to be working fine besides this. The name applies "advance" to be passed to the snort config for additional options not available in the gui. (I know in the squid package, the custom options box shows configs, but never seen this in snort.)

If Snort is not blocking/working then why is it "blocking" the data stream from the phones and producing the problem by blocking the ip's? Turning off snort or not block offenders allows the devices to work fine.
It is also scanning other traffic and blocking offenders when needed.

This was only an issues after one of the last updates.
Thanks for our help.

Cry Havok · Sep 25, 2011, 4:07 PM

Then how have you told it to suppress the rule? Where did you enter suppress gen_id 137, sig_id 1?

vito · Sep 25, 2011, 6:20 PM

Under the "suppress" Tab

I also just tried under adv config. Still not working.

Cry Havok · Sep 25, 2011, 7:23 PM

What version of pfSense and the Snort package are you running?

vito · Sep 25, 2011, 8:13 PM

PF 2.0 release
Snort 2.9.0.5 pkg v. 2.0

Cry Havok · Sep 25, 2011, 8:22 PM

Checking what is added to the snort config, it looks like the suppress tab doesn't work. Only items added to the Advanced tab are added to the config file from what I can see.

vito · Sep 27, 2011, 11:15 AM

Thanks for the reply and testing Cry Havok

OP and other users that posted to the thread.
Can you post your versions of Snort and PF?
Also note where you have the suppress line added.

If this is a bug, it will help with trouble shooting.

swinn · Sep 27, 2011, 2:28 PM

@Cry:

Checking what is added to the snort config, it looks like the suppress tab doesn't work. Only items added to the Advanced tab are added to the config file from what I can see.

Did you also set the suppression rule list you created to the interface (If Settings->Suppression and Filtering)? If the interface is still set to default then it will not suppress any alerts.

Cry Havok · Sep 27, 2011, 4:43 PM

@swinn:

Did you also set the suppression rule list you created to the interface (If Settings->Suppression and Filtering)? If the interface is still set to default then it will not suppress any alerts.

No - didn't know that those extra steps were required.

vito · Sep 27, 2011, 5:16 PM

When deleting the line from Adv config, the system enter this in the gui field and reverted my config.
²êië,éâw]û²("w
Yes, that is correct, it was just a bunch of garbage.
To be sure, i tried different browsers (FF,Chrome)

djmime · Sep 30, 2011, 6:59 AM

after adding the suppress to the interface snort stop blocking my OMA or OWA
thanks for the tip
:)