sites are blocked after upgraded snort



  • I just upgraded snort
    To the latest version 2.9.5.5 pkg v3.0.1

    And now a lot of sites are blocked

    sites I slid them regular were blocked
    For example Candy crash from facebook
    And many others
    a add this to suppress list and it help for an about an 10 Minutes

    
    #(http_inspect) BARE BYTE UNICODE ENCODING
    suppress gen_id 119, sig_id 4
    #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
    suppress gen_id 120, sig_id 3
    #(http_inspect) UNKNOWN METHOD
    suppress gen_id 119, sig_id 31
    #ET POLICY Dropbox.com Offsite File Backup in Use
    suppress gen_id 1, sig_id 2012647
    
    

    Meanwhile I canceled the option

    Block Offenders  [] Checking this option will automatically block hosts that generate a Snort alert.

    So I can browse



  • @firefox:

    I just upgraded snort
    To the latest version 2.9.5.5 pkg v3.0.1

    And now a lot of sites are blocked

    sites I slid them regular were blocked
    For example Candy crash from facebook
    And many others
    a add this to suppress list and it help for an about an 10 Minutes

    
    #(http_inspect) BARE BYTE UNICODE ENCODING
    suppress gen_id 119, sig_id 4
    #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
    suppress gen_id 120, sig_id 3
    #(http_inspect) UNKNOWN METHOD
    suppress gen_id 119, sig_id 31
    #ET POLICY Dropbox.com Offsite File Backup in Use
    suppress gen_id 1, sig_id 2012647
    
    

    Meanwhile I canceled the option

    Block Offenders  [] Checking this option will automatically block hosts that generate a Snort alert.

    So I can browse

    There are some false positives that happen with the HTTP_INSPECT preprocessor.  In particular at least one of the ones you listed appears to have cropped in the latest Snort binary.  I suggest adding Suppress List entries for these alerts for now until the Snort VRT folks get them sorted out.  You may also be able to experiment with tuning some of the new options available in the updated GUI for Stream5 and HTTP_INSPECT.

    Also, when you add entries to the Suppress List, you need to restart Snort on the interface for it to see the change.

    Bill



  • Those http alerts are already known to be false positives.



  • I marked this square v again

    and again many sites were blocked

    Block Offenders  []   Checking this option will automatically block hosts that generate a Snort alert.
    

    Internet browsing on all computers is  horribly slow

    I am attaching screenshots of System logs



    It all started last update of snort



  • The only entry in all those log entries that is Snort-related AND could be causing Internet connections to have problems is the "Double-Decoding attack" entry from the HTTP_INSPECT preprocessor.  As several others have said, this is a false positive 99% of the time.  The best way to deal with it is to add a Suppress List entry so that it no longer alerts and blocks.

    To add a Suppress Entry, find the alert in the Alerts tab list and click the plus sign (+) beside it in the GID:SID column.  That will auto-add it to the Suppress List.  Restart Snort on the interface and that alert will no longer cause a block.  False positives are normal on any IPS/IDS.  That's what all the turning parameters are there for, so you can tune Snort to only alert on things important in your environment.  The HTTP_INSPECT preprocessor causes most of the false positives because very few web servers on the Internet follow all the RFC standards to the absolute letter.

    The firewall log entries are IPv6 Link-Local broadcasts.  They are not a problem, but if you don't want to see them you can simply drop and not log them.  They are not Snort-related outside the fact Snort puts the WAN interface in promiscuous mode, so it may be collecting IP traffic between you and your far-end gateway that is not explicitly destined for your NIC's MAC address.

    The ET (Emerging Threats) blocks from Snort are normal and expected for that rule set.  The alert means an IP from a "bad actors" IP list tried to connect to your WAN IP.

    Finally, looking at your logs indicates some issues with your PPPoE connectivity.  Looks like the interface as bounced a time or two and the apinger for Gateway health was showing some issues a few days back.

    Bill



  • Indeed
    the apinger Turn off once or twice and I had to run it

    this is the  suppress list

    #(http_inspect) BARE BYTE UNICODE ENCODING
    suppress gen_id 119, sig_id 4
    #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
    suppress gen_id 120, sig_id 3
    #(http_inspect) UNKNOWN METHOD
    suppress gen_id 119, sig_id 31
    #ET POLICY Dropbox.com Offsite File Backup in Use
    suppress gen_id 1, sig_id 2012647
    #ET INFO JJEncode Encoded Script
    suppress gen_id 1, sig_id 2017127
    #(http_inspect) IIS UNICODE CODEPOINT ENCODING
    suppress gen_id 119, sig_id 7
    

    Finally, looking at your logs indicates some issues with your PPPoE connectivity.  Looks like the interface as bounced a time or two and the apinger for Gateway health was showing some issues a few days back.

    Can it cause slowness in surfing
    Currently
    The current situation
    Takes three or four minutes to load a web page
    If any

    By the way also browsing to the
    Management screen {dashboard}
    Also slow

    Sometimes it is impossible to enter the Management screen



  • @firefox:

    this is the  suppress list

    #(http_inspect) BARE BYTE UNICODE ENCODING
    suppress gen_id 119, sig_id 4
    #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
    suppress gen_id 120, sig_id 3
    #(http_inspect) UNKNOWN METHOD
    suppress gen_id 119, sig_id 31
    #ET POLICY Dropbox.com Offsite File Backup in Use
    suppress gen_id 1, sig_id 2012647
    #ET INFO JJEncode Encoded Script
    suppress gen_id 1, sig_id 2017127
    #(http_inspect) IIS UNICODE CODEPOINT ENCODING
    suppress gen_id 119, sig_id 7
    

    You are missing the Suppress Entry for the DOUBLE DECODING ATTACK alert.  You need this one as well based on your log posting:

    #(http_inspect) DOUBLE DECODING ATTACK
    suppress gen_id 119, sig_id 2
    

    Can it cause slowness in surfing
    Currently
    The current situation
    Takes three or four minutes to load a web page
    If any

    By the way also browsing to the
    Management screen {dashboard}
    Also slow

    Sometimes it is impossible to enter the Management screen

    Issues with slow surfing and trouble entering the Management screen of the firewall indicate something hardware-related in my opinion.  I would look for duplex mismatches or bad cabling.  What type of hardware are you running pfSense on (for example, CPU type, amount of RAM, type of NIC, etc.).

    I also saw from your earlier log posting that you appear to be running some other packages in addition to Snort.  I would suggest turning off ALL the packages (including Snort) and then see how your web surfing and connectivity to the Management interface works.  If you still have issues, then you know it's not any of the packages.

    Bill



  • Issues with slow surfing and trouble entering the Management screen of the firewall indicate something hardware-related in my opinion.  I would look for duplex mismatches or bad cabling.  What type of hardware are you running pfSense on (for example, CPU type, amount of RAM, type of NIC, etc.).

    Intel(R) Pentium(R) 4 CPU 2.40GHz
    739 MB memory
    two Simple network cards to 100 MB
    Network card on board up to 100 MB
    Wireless network card to 54 MB

    Is there a way
    To know the technical specifications of the computer
    Which cards
    Or memories

    Apart from what is listed in the Dashboard

    To tell the truth
    It could be a hardware problem
    A few days ago was a power problem in my area
    For several days there were more than 20 power outages
    I have ups
    But it did not work
    So the computer stopped working twice

    I have no way to check the hardware
    Apart from taking the computer to the lab

    You are missing the Suppress Entry for the DOUBLE DECODING ATTACK alert.  You need this one as well based on your log posting:

    Code: [Select]

    #(http_inspect) DOUBLE DECODING ATTACK
    suppress gen_id 119, sig_id 2

    I saw it and I added now
    See how this works now

    I also saw from your earlier log posting that you appear to be running some other packages in addition to Snort.  I would suggest turning off ALL the packages (including Snort) and then see how your web surfing and connectivity to the Management interface works.  If you still have issues, then you know it's not any of the packages.

    I know the computer is a bit weak for all this
    But it worked great until now



  • 739 MB of RAM is a challenge for Snort with a full rule set.  Snort is a memory hog.  Depending on the number of rules active, RAM usage can quickly grow beyond 2 GB.  If your box begins swapping RAM out to the swap file, then performance will slow to a crawl.  Currently the Dashboard does not indicate any swap usage, so that may not be the problem.

    You can test Snort as the cause of your slowness issue by simply turning Snort off on the interfaces it is running on.  Just click the green arrow icon on the Snort Interfaces tab and wait for it to turn into a red X.  Snort is then stopped and is not consuming any resources nor doing anything to network traffic.  If things are still slow and you have web browsing issues, then Snort is not at fault and you know to look elsewhere.

    Now if Snort was blocking a number of web sites, that can also give the appearance of being slow.  What happens is most web sites use advertising, and that advertising is served up by external sources (meaning not from the same web server as the content you went to see is served from).  Sometimes those external sources are either known suspicious sites with poor reputations that are on a Snort block list, or the external site may use some non-standard HTTP encoding that the Snort HTTP_INSPECT preprocessor does not like.  Either way the incoming ad stream is blocked.  Some web pages will pause or simply not load when any of their embedded ads don't completely load.  You may be seeing some of that behavior as well.  Properly configuring a Suppress List will help in this area.

    Bill


Log in to reply