Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort starting blocking almost all downloads

    Scheduled Pinned Locked Moved IDS/IPS
    9 Posts 4 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dgall
      last edited by

      I have been using PFSense and Snort for about a year now with out any problems and now Snort has started to block almost all downloads from the web and I haven't changed any of the settings what would cause this and what do I need to change ? For now if I need to do any bigger downloads for drivers and software I just turn snort off until I am done. It is not blocking any websites its not supposed to be. Dave

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Out crystal balls are out of service. Perhaps start with the alerts tab???

        1 Reply Last reply Reply Quote 0
        • D
          dgall
          last edited by

          Now a lot of websites are getting blocked with this description  (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE this is happening with normal websites we use everyday  yahoo, ebay, amazon etc snort will block it for no reason. What can I change in the settings to make it not so aggressive. I understand having to tweek a few things here and there but now I am getting a regular Dave your firewall is blocking another website

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            Disable the offending rule. Simple.

            1 Reply Last reply Reply Quote 0
            • A
              ajrg
              last edited by

              It takes a bit of trial-and-error with Snort (and any other IDS/IPS), but well worth it once you've got it all right.

              When I first went to deploy it, I took a few hours worth of Squid access logs and went to the most frequently visited sites to get a good list of rules to disable on the production box.

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned
                last edited by

                Perhaps this thread has some good pointers? https://forum.pfsense.org/index.php?topic=78062.0
                Also: https://raw.githubusercontent.com/jflsakfja/suricata-rules/master/list.txt

                1 Reply Last reply Reply Quote 0
                • D
                  dgall
                  last edited by

                  My problem is I did go thru the blocks and alerts at the beginning and  and made it so everything I wanted to pass thru did . A year later with out touching any of the settings its starting to block all kinds of websites while I dont mind going in and changing a few things here and there in PFsense but  I dont have time to stop from what I am doing in the shop 5 or 6 times a day because another website is blocked. We have people online looking at all kinds of websites for research and purchasing different things

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks
                    last edited by

                    You might just consider running Snort in IDS mode instead of blocking mode.  This would give you alerts on suspicious traffic but would not block it.  The other options are to run less restrictive rules or to spend some time tuning by disabling/suppressing some rules and alerts.

                    Bill

                    1 Reply Last reply Reply Quote 0
                    • A
                      ajrg
                      last edited by

                      @dgall:

                      My problem is I did go thru the blocks and alerts at the beginning and  and made it so everything I wanted to pass thru did . A year later with out touching any of the settings its starting to block all kinds of websites while I dont mind going in and changing a few things here and there in PFsense but  I dont have time to stop from what I am doing in the shop 5 or 6 times a day because another website is blocked. We have people online looking at all kinds of websites for research and purchasing different things

                      This does happen occasionally, as new potential threats are added to the rulesets through updates.

                      As bmeeks mentioned, you could either run a generally more permissive ruleset, or disable blocking and have a look at what's going on every so often.

                      Good security does need proper maintenance, as new threats are always emerging.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.