Snort WAN Interface generates multicast traffic.
-
Hi all,
I have a newbie question.
I upgraded to 2.9.5.5 pkg v.3.0.1
I am having a strange problem which I am not able to find a solution on google.As soon as I enable the wan interface (with/without rules(one rule)) it starts to generate multicast traffic every 20 seconds/12 entries and pfsense blocks the traffic.
Dec 23 23:27:02 pf: 192.168.1.254.1900 > 239.255.255.250.1900: UDP, length 356
Dec 23 23:27:02 pf: 00:00:00.029971 rule 48/0(match): block in on em0: (tos 0xa0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 384)192.168.1.254 is the wan gateway.
Although 239.255.255.250.1900 is associated with ssdp/upnp/windows etc.
the source is not that because even I turn off the whole system, including the switch, the pfsense logs keeps on showing the same entries with the time stamp of when the systems were off.
None of the systems have upnp enabled.any idea what may be the cause?
Thank you.
-
When you run snort the interface is placed into promiscuous mode so it will receive and process more traffic that it would have seen otherwise. Without promiscuous mode, it will only process traffic destined for your NIC's MAC or broadcast and such.
That should have shown up even without promiscuous mode though because 239.255.255.250 is a multicast address. Your upstream gateway is announcing itself to the rest of the segment. Perhaps the gateway is broken and it isn't actually sending it to a proper multicast MAC.
If it bothers you, you can disable logging for the block private networks rule (in the system logs settings) or if you don't have that enabled, make your own WAN rule to block the traffic without logging it.
-
Thank you for an answer.
It is exactly what I thought that it is related to promiscuous mode as I read it also in somewhere else that snort has to listen other traffic as well so it is normal. But needed to be sure. :)What you mean by maybe gateway is broken ?
It seems to be online with %0 loss.Thanks again.
-
Not broken in the sense that it is down/won't pass traffic. Broken in the way it's sending that multicast traffic. It should be received by all ports in the segment if they address the multicast traffic properly. It's not a big deal though since you don't need to use that anyhow. It may be fine anyhow since perhaps your system would need to join the right multicast group to see it. Probably my brain shutting down for the holiday to blame there.
-
:)
Thanks a lot again.
