Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Fw port scanning & snort blocks itself

    IDS/IPS
    1
    1
    581
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      firewalluser
      last edited by

      AMD64 2.2.3
      In the attached image you can see two snort blocks on the WAN interface.

      2nd row (1st block, date time in reverse order), the DNS server (unbound overridden by the ISP DNS servers) triggers a block because of an unusual number of DNS entries that dont exist.

      As they are domains that no longer resolve for what ever reason and can be caused by domains saved in pfsense, like aliases, or possibly software (malware in some cases if you like) on workstations forcing pfsense to lookup lots of fake domains names or cloudservers with variable domain names that are short lived, this can trigger a snort block and effectively take the firewall offline and anything else behind it.

      In the 1st row of the image, a few seconds later, what I cant work out, is why would pfsense then do a portscan back at the the ISP DNS server?

      78.151.235.1 is the ISP dns server, 2.101.3.157 was the ip address assigned to me.

      Any ideas?

      TIA.

      Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

      Asch Conformity, mainly the blind leading the blind.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post