Snort kills routing to specific domains!


  • Banned

    Pfsense stopped routing my mailserver on all port associated with the mailserver. It rendered things unusable and first I tried to reboot PfSense and it came back so clients could connect. After a short while, it was blocked again but nothing in the alerts or blocked items.

    It is part of an alias that Snort uses for Friendly IP's.

    I stopped Snort and rebooted the firewall again and nothing has been blocked for several hours.

    So Snort remains off until I have searched for errors.


  • Banned

    Now getting Dce_iface error when trying to restart Snort.


  • Banned

    Disabled the RPC2 preproc. and Snort starts no issues. Now I will see if it keeps everything running.


  • Banned

    Its running fine ever since. No blocking and no blocking specific domains/sub domains.



  • @Supermule:

    Its running fine ever since. No blocking and no blocking specific domains/sub domains.

    Replied to your IM.  Was this a case of everything was fine and then just suddenly started acting up?  I am wondering if another rule update issue is out there.  Remember the Emerging Threats issue earlier this week with their emerging-bottcc file.

    Is there anything in the system log that might yield a clue?  Also, which Snort package version are you running and on which pfSense version?

    Bill


  • Banned

    Pfsense 2.0.3 and Snort 2.9.4.6 pkg v. 2.6.0

    :)

    I used the affected machines earlier today and suddenly it rendered the subdomain useless on all ports. Main domain was fine and even other subdomains worked.

    I rebooted and it worked fine for a couple of minutes and then the affected subdomain was unreachable. Disable snort and a reboot, then it came on fine again. Then I got the dce_iface error and disabled the preproc. and it has been running since…


Log in to reply