Fw port scanning & snort blocks itself

IDS/IPS
Log in to reply
  • F

    AMD64 2.2.3
    In the attached image you can see two snort blocks on the WAN interface.

    2nd row (1st block, date time in reverse order), the DNS server (unbound overridden by the ISP DNS servers) triggers a block because of an unusual number of DNS entries that dont exist.

    As they are domains that no longer resolve for what ever reason and can be caused by domains saved in pfsense, like aliases, or possibly software (malware in some cases if you like) on workstations forcing pfsense to lookup lots of fake domains names or cloudservers with variable domain names that are short lived, this can trigger a snort block and effectively take the firewall offline and anything else behind it.

    In the 1st row of the image, a few seconds later, what I cant work out, is why would pfsense then do a portscan back at the the ISP DNS server?

    78.151.235.1 is the ISP dns server, 2.101.3.157 was the ip address assigned to me.

    Any ideas?

    TIA.

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy