Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort + HAVP ….. The following server is down :-(

    Scheduled Pinned Locked Moved pfSense Packages
    3 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      leddra2k
      last edited by

      Howdy all,

      I've been using PFSense for sometime now and thought I would add Snort to the mix. The only trouble is now that I've configured it I will get HAVP messages when trying to go to some sites for example photobox.co.uk

      The screen message is as follows:

      HAVP

      The following server is down
      Connection failed

      I have tried restarting, stop and start of HAVP and snort services and no joy! The only way I can clear this down so I can access photobox again is deinstall the Snort package.

      Anyone else getting this? On the latest versions…

      Cheers,

      Ant^

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        Hello leddra2k,

        Snort will need to be tuned to your network. If you enabled "blocking", you need to look at the Alerts and Blocked Tabs. You can disable rules if they are not necessary for your network or you can add suppression.

        There are several discussions in the forum to help in tuning snort.

        Snort is not something to just turn on and walk away.

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          There is a bug in the Snort binary with regards to SSL detection.  That might be what is happening here if the URL is https://.  You can Google some references to the bug by looking for "client HELO after server HELO".  This bug will hopefully be fixed in a later Snort binary release.  For now I recommend suppressing this particular alert.

          As BBcan17 mentioned, peruse the threads here in the Packages forum for advice on how to tune Snort by suppressing common false positives.

          Bill

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.