Snort blocking iTunes?
-
Hi - was hoping someone might be able to assist. Appears snort blocks my iPhone/iPad from connecting to the Apple itunes store for app updates, etc. I've been unable to determine which IP(s) are associated with iTunes and end up clearing all snort blocked IPs which resolves the issue. Has anyone else determined which IP (CIDR) or suppress rules need to be applied in order to resolve the iTunes issue?
-
What rules are triggered? A friend of mine actually had spyware on his iphone that Snort saw and so his phone was blocked.
-
Here's the alert that's triggered:
Date PRI PROTO CLASS SRC SRCPORT DST DSTPORT SID DESCRIPTION
08/05-08:54:45 2 TCP Potentially Bad Traffic SourceIP 43617 68.156.83.232 443 137:1:2 [click to add to suppress list] "(ssp_ssl) Invalid Client HELLO after Server HELLO Detected"
08/05-08:54:45 2 TCP Potentially Bad Traffic SourceIP 43617 68.156.83.232 443 137:1:2 [click to add to suppress list] "(ssp_ssl) Invalid Client HELLO after Server HELLO Detected"
-
You can add that SID to the supression list. It's the way the iphone makes it's connection that is triggering the SSP rule. SSP is Windows only tech.
see: http://groups.google.com/group/snortusers/tree/browse_frm/month/2011-04/931943bd96ceb0a1?rnum=91&_done=%2Fgroup%2Fsnortusers%2Fbrowse_frm%2Fmonth%2F2011-04%3F