Installed pfSense and Snort and now YouTube only runs Ads or vids for 60 seconds



  • Hi, just installed pfSense and Snort and now YouTube won't play.
    YouTube ads play and then the YouTube video won't run.

    I rebooted pfSense, Snort and the computer, then YouTube will play the video for 60 seconds, then it's blocked again.

    I have tested more computers on the LAN and they also can't play YouTube.
    pfSense's CPU and RAM is nowhere over capacity.

    Any suggestions?



  • What snort rules are you using?  What is showing up in your snort block list?  Have you used any of the posted suppression lists to cut down on the MASSIVE number of false-positives that the default IPS Policy rulesets will throw?



  • I am using the standard Snort rules available for download upon installing Snort for the 1st time.

    The below code is the Snort Blocked list.

    
    1	58.162.61.17   Resolve host via reverse DNS lookup	(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:12:18	 Delete host from Blocked Table
    2	58.162.61.13   Resolve host via reverse DNS lookup	(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:17:41	 Delete host from Blocked Table
    3	58.162.61.14   Resolve host via reverse DNS lookup	(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:04:32	 Delete host from Blocked Table
    4	119.15.68.8   Resolve host via reverse DNS lookup	(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:17:35	 Delete host from Blocked Table
    5	8.27.248.254   Resolve host via reverse DNS lookup	(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:33:38	 Delete host from Blocked Table
    6	74.125.109.136   Resolve host via reverse DNS lookup	(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:00:57	 Delete host from Blocked Table
    7	74.125.109.72   Resolve host via reverse DNS lookup	(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:02:15	 Delete host from Blocked Table
    8	119.15.70.30   Resolve host via reverse DNS lookup	(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:28:37
    
    

    I don't know about the posted suppression lists to cut down on the MASSIVE number of false-positives that the default IPS Policy rulesets will throw.

    I will research to find these, unless someone knows where they are.

    Rebooted pfSense and comuter this morning after turning off for the night and same issue.
    YouTube runs for 3:43 then freezes. Other videos are also not streaming…only the advertisements at the beginning of the videos.

    Should I use the suppression list or the Whitelist to allow some websites? What is the more efficient method?
    I have added www.youtube.com into the Whitelist filename, but YouTube still won't show.



  • @eiger3970:

    I am using the standard Snort rules available for download upon installing Snort for the 1st time.

    The below code is the Snort Blocked list.

    
    1	58.162.61.17   Resolve host via reverse DNS lookup	(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:12:18	 Delete host from Blocked Table
    2	58.162.61.13   Resolve host via reverse DNS lookup	(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:17:41	 Delete host from Blocked Table
    3	58.162.61.14   Resolve host via reverse DNS lookup	(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:04:32	 Delete host from Blocked Table
    4	119.15.68.8   Resolve host via reverse DNS lookup	(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:17:35	 Delete host from Blocked Table
    5	8.27.248.254   Resolve host via reverse DNS lookup	(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:33:38	 Delete host from Blocked Table
    6	74.125.109.136   Resolve host via reverse DNS lookup	(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:00:57	 Delete host from Blocked Table
    7	74.125.109.72   Resolve host via reverse DNS lookup	(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:02:15	 Delete host from Blocked Table
    8	119.15.70.30   Resolve host via reverse DNS lookup	(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:28:37
    
    

    I don't know about the posted suppression lists to cut down on the MASSIVE number of false-positives that the default IPS Policy rulesets will throw.

    I will research to find these, unless someone knows where they are.

    Rebooted pfSense and comuter this morning after turning off for the night and same issue.
    YouTube runs for 3:43 then freezes. Other videos are also not streaming…only the advertisements at the beginning of the videos.

    Should I use the suppression list or the Whitelist to allow some websites? What is the more efficient method?
    I have added www.youtube.com into the Whitelist filename, but YouTube still won't show.

    You want to add Suppress List entries for those HTTP_INSPECT alerts.  They are considered false positives.  On the ALERTS tab, just click the plus (+) icon next to the GID:SID in the SID column.  That will auto add it to the Suppress List for the interface.  When done adding them, restart Snort on the interface.

    You can't really whitelist a domain name.  Snort works only with IP addresses.  It can't realtime decipher a FQDN (fully-qualified domain name) such as "www.youtube.com".  And because a site like YouTube will have a load-balancer in front of a bunch of servers, you can get a different IP address each time you visit the site, or even when you view a different video.  So it becomes a futile task to try and add all the changing IP addresses.

    Bill



  • Thanks, that seems to have fixed it.



  • I had to factory restore pfSense and with a fresh install of pfSense, the same issue occurs.
    This tells me Snort was not the problem and that the initial Setup Wizard for pfSense doesn't allow a user to use the Internet?

    I find this unusual, as when you plug in a router, away you go.
    Then if you want to restrict traffic, you add rules.
    It seems pfSense has locked down too much, as I can only browse to a few sites and not access search results on how to make the Internet work?

    Any suggestions how to allow Internet on pfSense with a standard default Setup Wizard configuration?



  • The factory defaults of pfSense provides full access from any LAN client out WAN to anything on the internet. If your WAN just gets local private DHCP from your ISP router, then make sure to put LAN as a different IP subnet to WAN.
    If you really are having trouble with the factory defaults plus wizard setup, then I suggest start a new thread for that. Say what sort of internet connection you have and exactly what you answered in the wizard.
    Because it really does work - I have done plenty of these, and many people have done hundreds, and probably thousands.



  • @bmeeks:

    @eiger3970:

    I am using the standard Snort rules available for download upon installing Snort for the 1st time.

    The below code is the Snort Blocked list.

    
    1	58.162.61.17   Resolve host via reverse DNS lookup	(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:12:18	 Delete host from Blocked Table
    2	58.162.61.13   Resolve host via reverse DNS lookup	(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:17:41	 Delete host from Blocked Table
    3	58.162.61.14   Resolve host via reverse DNS lookup	(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:04:32	 Delete host from Blocked Table
    4	119.15.68.8   Resolve host via reverse DNS lookup	(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:17:35	 Delete host from Blocked Table
    5	8.27.248.254   Resolve host via reverse DNS lookup	(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:33:38	 Delete host from Blocked Table
    6	74.125.109.136   Resolve host via reverse DNS lookup	(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:00:57	 Delete host from Blocked Table
    7	74.125.109.72   Resolve host via reverse DNS lookup	(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:02:15	 Delete host from Blocked Table
    8	119.15.70.30   Resolve host via reverse DNS lookup	(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:28:37
    
    

    I don't know about the posted suppression lists to cut down on the MASSIVE number of false-positives that the default IPS Policy rulesets will throw.

    I will research to find these, unless someone knows where they are.

    Rebooted pfSense and comuter this morning after turning off for the night and same issue.
    YouTube runs for 3:43 then freezes. Other videos are also not streaming…only the advertisements at the beginning of the videos.

    Should I use the suppression list or the Whitelist to allow some websites? What is the more efficient method?
    I have added www.youtube.com into the Whitelist filename, but YouTube still won't show.

    You want to add Suppress List entries for those HTTP_INSPECT alerts.  They are considered false positives.  On the ALERTS tab, just click the plus (+) icon next to the GID:SID in the SID column.  That will auto add it to the Suppress List for the interface.  When done adding them, restart Snort on the interface.

    You can't really whitelist a domain name.  Snort works only with IP addresses.  It can't realtime decipher a FQDN (fully-qualified domain name) such as "www.youtube.com".  And because a site like YouTube will have a load-balancer in front of a bunch of servers, you can get a different IP address each time you visit the site, or even when you view a different video.  So it becomes a futile task to try and add all the changing IP addresses.

    Bill

    thank you so much for this .
    I've been getting blocked on certain sites and I've add the default .site.com/ to hapv  and still was getting those darn blocks  .
    Most of the sites I went to just worked saw a lot of the 120;3 sid  NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE and now I can go to them samsung .ca was one such site or if you went to a site with french/and a english version. so thank you very much



  • Hi, may I know are all "http_inspect" are consider False Positive?

    In that case mine is not picking up any true alerts.



  • @luke1018:

    Hi, may I know are all "http_inspect" are consider False Positive?

    In that case mine is not picking up any true alerts.

    The majority of those HTTP_INSPECT alerts are what we call "false positives", but that is probably not 100% accurate.  The alerts tell you that a given web site is doing something potentially against the accepted standards, but then the other side of that coin is almost all the web sites today do not follow the accepted standards to perfection anyway.  So you will get the HTTP_INSPECT alerts frequently even when the detected traffic is in no way malicous.

    So must IDS/IPS admins will start suppressing lots of the HTTP_INSPECT alerts simply due to the log noise they generate.

    Bill


Log in to reply