Snort + HAVP ….. The following server is down :-(

leddra2k

Howdy all,

I've been using PFSense for sometime now and thought I would add Snort to the mix. The only trouble is now that I've configured it I will get HAVP messages when trying to go to some sites for example photobox.co.uk

The screen message is as follows:

HAVP

The following server is down
Connection failed

I have tried restarting, stop and start of HAVP and snort services and no joy! The only way I can clear this down so I can access photobox again is deinstall the Snort package.

Anyone else getting this? On the latest versions…

Cheers,

Ant^

BBcan177

Hello leddra2k,

Snort will need to be tuned to your network. If you enabled "blocking", you need to look at the Alerts and Blocked Tabs. You can disable rules if they are not necessary for your network or you can add suppression.

There are several discussions in the forum to help in tuning snort.

Snort is not something to just turn on and walk away.

bmeeks

There is a bug in the Snort binary with regards to SSL detection.  That might be what is happening here if the URL is https://.  You can Google some references to the bug by looking for "client HELO after server HELO".  This bug will hopefully be fixed in a later Snort binary release.  For now I recommend suppressing this particular alert.

As BBcan17 mentioned, peruse the threads here in the Packages forum for advice on how to tune Snort by suppressing common false positives.

Bill