Snort or config causing upload timeouts



  • when enabled, snort with a basic config (ac-bnfa, vrt oinkmaster list) on my netgate apu4 running 2.2.2 (same issue with 2.2.1) is causing upload speed test to timeout.

    download speeds are acceptable, but once testing upload, immediately cuts out upload almost completely. tested with same results on speedtest and speakeasy.

    my mtu is set to auto.

    nothing questionable added to firewall rules.

    when i disable snort, i get a working upload at assumed speeds.

    any ideas why snort would kill upload but not effect download?



  • Do you mean by "timeout" that you upload is effectively 0 bytes/sec and you eventually get a timeout message?  If so, then Snort is likely blocking your speed test server for some reason (likely a false positive).  I am assuming you have blocking enabled within Snort.  Look at the ALERTS and BLOCKED tabs in Snort and see if your target upload server's IP address is listed.  If it is, you will also see which SID rule caused the alert.  Determine if it's a false positive and suppress it if it is.

    Bill



  • found it!

    it was this rule

    (http_inspect) UNESCAPED SPACE IN HTTP URI

    suppressed it. tested and had a functional upload test.

    thank you!



  • Snort is a real stickler for requiring adherence to all the RFCs for web servers.  If a site's server deviates one little bit, the HTTP_INSPECT processor in Snort will pounce… ;D.

    Glad you found it.  You can either suppress that alert or disable that rule entirely.  There are a number of those HTTP_INSPECT rules that will false positive.

    Bill


Log in to reply