Snort kills routing to specific domains!
-
Pfsense stopped routing my mailserver on all port associated with the mailserver. It rendered things unusable and first I tried to reboot PfSense and it came back so clients could connect. After a short while, it was blocked again but nothing in the alerts or blocked items.
It is part of an alias that Snort uses for Friendly IP's.
I stopped Snort and rebooted the firewall again and nothing has been blocked for several hours.
So Snort remains off until I have searched for errors.
-
Now getting Dce_iface error when trying to restart Snort.
-
Disabled the RPC2 preproc. and Snort starts no issues. Now I will see if it keeps everything running.
-
Its running fine ever since. No blocking and no blocking specific domains/sub domains.
-
Its running fine ever since. No blocking and no blocking specific domains/sub domains.
Replied to your IM. Was this a case of everything was fine and then just suddenly started acting up? I am wondering if another rule update issue is out there. Remember the Emerging Threats issue earlier this week with their emerging-bottcc file.
Is there anything in the system log that might yield a clue? Also, which Snort package version are you running and on which pfSense version?
Bill
-
Pfsense 2.0.3 and Snort 2.9.4.6 pkg v. 2.6.0
:)
I used the affected machines earlier today and suddenly it rendered the subdomain useless on all ports. Main domain was fine and even other subdomains worked.
I rebooted and it worked fine for a couple of minutes and then the affected subdomain was unreachable. Disable snort and a reboot, then it came on fine again. Then I got the dce_iface error and disabled the preproc. and it has been running since…
