Fw port scanning & snort blocks itself


  • AMD64 2.2.3
    In the attached image you can see two snort blocks on the WAN interface.

    2nd row (1st block, date time in reverse order), the DNS server (unbound overridden by the ISP DNS servers) triggers a block because of an unusual number of DNS entries that dont exist.

    As they are domains that no longer resolve for what ever reason and can be caused by domains saved in pfsense, like aliases, or possibly software (malware in some cases if you like) on workstations forcing pfsense to lookup lots of fake domains names or cloudservers with variable domain names that are short lived, this can trigger a snort block and effectively take the firewall offline and anything else behind it.

    In the 1st row of the image, a few seconds later, what I cant work out, is why would pfsense then do a portscan back at the the ISP DNS server?

    78.151.235.1 is the ISP dns server, 2.101.3.157 was the ip address assigned to me.

    Any ideas?

    TIA.