What's new

Learning Snort of pfSense

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

BeachBum

Regular Contributor
Well I've fired up Snort on pfSense 2.3 and have had it running for a day or so in non-blocking mode. I am seeing a lot of these two alerts:

log1.png


Both SourceIPs are my WAN IP. The destination for rule 141:1 resolves to my websites email server. The destination for rule 137:1 resolves to Apple.

So I'm pretty sure these are false positives, am I wrong? If indeed they are false, then can I safely disable the two rules? Thats how I understand you are supposed to do it, correct?
 
Looks like based on the bmeeks tutorial at the pfSense boards that I should suppress based on the triggering IP instead of turning off the rule. So thats what I will start doing.

https://forum.pfsense.org/index.php?topic=61018.120

You can suppress them if you wish, but depending on how you do it you may expose yourself to a real attack (as opposed to the false positive you are likely seeing now). Here is what I would do:

You know the IP address in question (your phone system), so create a suppress list rule by IP address. The easiest way to accomplish this is on the ALERTS tab. Click the plus (+) icon beside the IP address you don't want to block on one of the alert rows. This will create a suppress list entry of type "track by IP". It will be either source (SRC) or destination (DST) depending on which address column you clicked. The entry will be for that specific IP. If you want to suppress by an IP block instead, then after creating the entry as described previously, go to the SUPPRESS LIST tab, find the newly created list and edit it. Change the IP address to a CIDR block.

Bill
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top