Minecraft server & Snort



  • I am fairly new to SNORT/PFSense - but so far it has been great, vastly improved performance, now i am working on security. for the most part I have everything working like i would want but Minecraft.  Seems to be blacklisting players when they try to connect for malformed http….  it would seem turning off http inspecting might due it but i would rather not do that

    it also seemed to be blocking the authentication server, but I think I have worked around that with an alias for amazon hosting  and then white listing it. did not seem to fix the issue, i also tried to white list the ports i use hoping snort would let the http traffic through there.

    currently IPS policy is set to connectivity, and snort GPLv2 is used. blocking is off till i can get this fixed..

    thanks in advance



  • @hansrotec:

    I am fairly new to SNORT/PFSense - but so far it has been great, vastly improved performance, now i am working on security. for the most part I have everything working like i would want but Minecraft.  Seems to be blacklisting players when they try to connect for malformed http….  it would seem turning off http inspecting might due it but i would rather not do that

    it also seemed to be blocking the authentication server, but I think I have worked around that with an alias for amazon hosting  and then white listing it. did not seem to fix the issue, i also tried to white list the ports i use hoping snort would let the http traffic through there.

    currently IPS policy is set to connectivity, and snort GPLv2 is used. blocking is off till i can get this fixed..

    thanks in advance

    Tuning the HTTP_INSPECT preprocessor can be a frustrating exercise.  Sometimes you just can be successful when you must accept a large range of clients or servers.  If particular alerts occur more frequently, you can consider adding them to the SUPPRESS LIST for the interface.  You can easily do this by clicking the little plus " + " icon next to the alert on the ALERTS tab.

    Adjusting some of the HTTP_INSPECT parameters can also help.  The default Server Flow Depth and Client Flow Depth values are only 300 bytes.  These are what the Snort VRT folks put in the documentation, but increasing these values might help with certain kinds of alerts.  Personally I run each parameter at the suggested max.  The values are 65,535 for Server Flow Depth and 1460 for Client Flow Depth.  I also have quite a few GID:SID values in my SUPPRESS LIST.

    Bill



  • @bmeeks:

    @hansrotec:

    I am fairly new to SNORT/PFSense - but so far it has been great, vastly improved performance, now i am working on security. for the most part I have everything working like i would want but Minecraft.  Seems to be blacklisting players when they try to connect for malformed http….  it would seem turning off http inspecting might due it but i would rather not do that

    it also seemed to be blocking the authentication server, but I think I have worked around that with an alias for amazon hosting  and then white listing it. did not seem to fix the issue, i also tried to white list the ports i use hoping snort would let the http traffic through there.

    currently IPS policy is set to connectivity, and snort GPLv2 is used. blocking is off till i can get this fixed..

    thanks in advance

    Tuning the HTTP_INSPECT preprocessor can be a frustrating exercise.  Sometimes you just can be successful when you must accept a large range of clients or servers.  If particular alerts occur more frequently, you can consider adding them to the SUPPRESS LIST for the interface.  You can easily do this by clicking the little plus " + " icon next to the alert on the ALERTS tab.

    Adjusting some of the HTTP_INSPECT parameters can also help.  The default Server Flow Depth and Client Flow Depth values are only 300 bytes.  These are what the Snort VRT folks put in the documentation, but increasing these values might help with certain kinds of alerts.  Personally I run each parameter at the suggested max.  The values are 65,535 for Server Flow Depth and 1460 for Client Flow Depth.  I also have quite a few GID:SID values in my SUPPRESS LIST.

    Bill

    do you use the 0 value which is supposed to place it at max or put in the max on the client/server flow depth field. I had been running it at 0,

    I was unsure quite what the suppress list did i thought, and it appears i was wrong it just kept that kind of alert from appearing in the log, but from what your talking about it sounds like its a pass list where it bypasses if its on the suppress list sort of like another white list



  • @hansrotec:

    do you use the 0 value which is supposed to place it at max or put in the max on the client/server flow depth field. I had been running it at 0,

    A value of "0" tells Snort to inspect all the HTTP traffic.  That can slow things down a bit if you have a loaded box or sub-par CPU.  I use the values 65,535 and 1460.

    @hansrotec:

    I was unsure quite what the suppress list did i thought, and it appears i was wrong it just kept that kind of alert from appearing in the log, but from what your talking about it sounds like its a pass list where it bypasses if its on the suppress list sort of like another white list

    The SUPPRESS LIST simply stops an event from generating an Alert (an entry in the log).  The way Snort blocks on pfSense is by using a third-party piece of software called Spoink as a plugin.  Spoink gets a copy, real time, of every alert and makes blocking decisions based on the IP addresses in the alert and whether or not they are in the WHITELIST.  By virtue of the fact a SUPPRESS LIST entry keeps an alert from being logged, it also indirectly prevents a block from being put in place based on that alert (since Spoink never saw the alert, it did not generate a block).  So the SUPPRESS LIST is sort of like a whitelist in that regard.  The WHITELIST represents IP addresses that are never blocked even when alerts happen with them and are logged.

    Bill



  • Thank you for clearing both issues up. the change in adding them to the suppress list fixed the issue, still have other vetting to do but that solved the minecraft issue straight away.

    Hmm i will play around with the values some more on the client/server field. my temporary CPU right now is a core2duo era pentium e5300, seems up to the task and rarely pegs. i was looking to move it to either an ivy bridge pentium g2020 or a i3 of some sort with an ITX or micro ATX mobo. the current setup was a spare mobo/cpu that had been given to me the mobo has a fualt where it thinks a fan header has died and will hang on about 1/3 of its boots… and being full ATX is just too large. normally i use that tower to flash SSDs and test suspected bad parts.

    an unrelated Q/A does ssd/HDD matter much in terms of performance for pfsense. right now i had a spare ssd laying around but due to its size it seems a waste to have it in the current setup.

    also Thank you, these forums and people supporting pfsense rock. The responsiveness to questions, and the general feeling of community here is much appreciated, I think at this point I am making the right choice to go with pfsense over the cisco isa570. just one more thing to get working VPN time woot



  • @hansrotec:

    an unrelated Q/A does ssd/HDD matter much in terms of performance for pfsense. right now i had a spare ssd laying around but due to its size it seems a waste to have it in the current setup.

    You will probably get a better answer to your ssd/HDD question in the Hardware thread.  I personally run an old SATAII 40 GB drive in my home firewall.  It is a Supermicro small-form factor server with an Intel Atom 330 with 4 GB of RAM.  My Internet connection (12 megabits/sec cable modem service) can't come close to breaking it into a sweat.  The only advantage of ssd is no moving parts and a little less heat.

    Bill


Locked