• I have a strange problem that occurs almost daily. A website that I frequent would become inaccessible after awhile and would stay that way for hours. For example, site like lenovo.com or notebookreview.com etc. When I try to ping or use traceroute on these "downed" sites nothing will happen so it's as if the computer can't even reach the router when pinging those specific sites. Every other website on the internet seems to work fine. If I wait a couple of hours or a day, the sites would be "up" again. If I change the DNS server(opendns, google), the sites would work but sometimes they go "down" again after awhile. I'd have to change dns server again or wait. It's a different site everyday, could even be a random website I visit for the first time. I have pfsense connected to a dd-wrt AP, only package running is snort. I see no log in snort that's blocking the sites and even if I turn snort off the sites are still "down". This happens to every computer on the network. I have no idea what's going on. What could be causing this?

  • LAYER 8 Global Moderator

    did you validate that you your machines can query the dns for the site.. For example simple nslookup or dig to lenovo.com

    You say if you change dns it works - so that really points to a dns related problem.

  • I took a peek inside the snort log in /var/log and it was snort that was blocking it. From what I gathered once snort blocks something even if you hit the red x to pause it will continue to block existing "bad sites" until snort is completely stopped/removed. For my minimal use i don't think snort is worth the hassle so I removed it.

    When the sites are accessible, i can do nslookup, ping, trace route, etc pretty much anything, they appear normal. I don't know why changing the dns server allowed it to work temporarily, but before I removed snort I could not get lenovo.com to work no matter what dns I used because I had already switched a couple times today. Thanks for the response

  • LAYER 8 Global Moderator

    Well yeah when the sites are accessible its a given you must of been able to do a dns query for them - I would of been more interested when they were not working ;)

    So was snort blocking access to the site, or the dns query?

    Any sort of IPS/IDS is going to take loads of configuration and work to make is viable product - if you think you can just click click and install something like snort and not have to spend quite a bit of time adjusting the rules and working out false positives then no snort is not for you.