Snort WAN Interface generates multicast traffic.

pfSense Packages
Log in to reply
  • C

    Hi all,

    I have a newbie question.
    I upgraded to 2.9.5.5 pkg v.3.0.1
    I am having a strange problem which I am not able to find a solution on google.

    As soon as I enable the wan interface (with/without rules(one rule)) it starts to generate multicast traffic  every 20 seconds/12 entries and pfsense blocks the traffic.

    Dec 23 23:27:02 pf: 192.168.1.254.1900 > 239.255.255.250.1900: UDP, length 356
    Dec 23 23:27:02 pf: 00:00:00.029971 rule 48/0(match): block in on em0: (tos 0xa0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 384)

    192.168.1.254 is the wan gateway.
    Although 239.255.255.250.1900 is associated with ssdp/upnp/windows etc.
    the source is not that because even I turn off the whole system, including the switch, the pfsense logs keeps on showing the same entries with the time stamp of when the systems were off.
    None of the systems have upnp enabled.

    any idea what may be the cause?

    Thank you.

    0
  • jimp
    Rebel Alliance Developer Netgate

    When you run snort the interface is placed into promiscuous mode so it will receive and process more traffic that it would have seen otherwise. Without promiscuous mode, it will only process traffic destined for your NIC's MAC or broadcast and such.

    That should have shown up even without promiscuous mode though because 239.255.255.250 is a multicast address. Your upstream gateway is announcing itself to the rest of the segment. Perhaps the gateway is broken and it isn't actually sending it to a proper multicast MAC.

    If it bothers you, you can disable logging for the block private networks rule (in the system logs settings) or if you don't have that enabled, make your own WAN rule to block the traffic without logging it.

    0
  • C

    Thank you for an answer.
    It is exactly what I thought  that it is related to promiscuous mode as I read it also in somewhere else that snort has to listen other traffic as well so it is normal. But needed to be sure. :)

    What you mean by maybe gateway is broken ?
    It seems to be online with %0 loss.

    Thanks again.

    0
  • jimp
    Rebel Alliance Developer Netgate

    Not broken in the sense that it is down/won't pass traffic. Broken in the way it's sending that multicast traffic. It should be received by all ports in the segment if they address the multicast traffic properly. It's not a big deal though since you don't need to use that anyhow. It may be fine anyhow since perhaps your system would need to join the right multicast group to see it. Probably my brain shutting down for the holiday to blame there.

    0
  • C

    :)
    Thanks a lot again.

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy