Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort or config causing upload timeouts

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      meta4
      last edited by

      when enabled, snort with a basic config (ac-bnfa, vrt oinkmaster list) on my netgate apu4 running 2.2.2 (same issue with 2.2.1) is causing upload speed test to timeout.

      download speeds are acceptable, but once testing upload, immediately cuts out upload almost completely. tested with same results on speedtest and speakeasy.

      my mtu is set to auto.

      nothing questionable added to firewall rules.

      when i disable snort, i get a working upload at assumed speeds.

      any ideas why snort would kill upload but not effect download?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Do you mean by "timeout" that you upload is effectively 0 bytes/sec and you eventually get a timeout message?  If so, then Snort is likely blocking your speed test server for some reason (likely a false positive).  I am assuming you have blocking enabled within Snort.  Look at the ALERTS and BLOCKED tabs in Snort and see if your target upload server's IP address is listed.  If it is, you will also see which SID rule caused the alert.  Determine if it's a false positive and suppress it if it is.

        Bill

        1 Reply Last reply Reply Quote 0
        • M
          meta4
          last edited by

          found it!

          it was this rule

          (http_inspect) UNESCAPED SPACE IN HTTP URI

          suppressed it. tested and had a functional upload test.

          thank you!

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            Snort is a real stickler for requiring adherence to all the RFCs for web servers.  If a site's server deviates one little bit, the HTTP_INSPECT processor in Snort will pounce… ;D.

            Glad you found it.  You can either suppress that alert or disable that rule entirely.  There are a number of those HTTP_INSPECT rules that will false positive.

            Bill

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.