Bug #14514
closed
SNORT randomly starts blocking the IP address on the interface that it is residing on
0%
Description
Hello fellow pfsense Redmine team members,
I have found an issue where SNORT starts to block out my ip address that is issued from the ISP. It is as if someone spoofs my ip address and starts doing scans of my own network. Once the system spots it and blocks out my address it causes a fail closed event. Keep in mind my IP address is not listed on any of the block lists that I could find however the logs acts as if it is. This occurs at random times sometimes during config changes and sometimes when using my Windows 10 laptop from college.
Files
| Screenshot 2023-06-27 at 3.13.19 PM.png (566 KB) Screenshot 2023-06-27 at 3.13.19 PM.png | Logs showing condition fail closed |
Related issues
Updated by Jonathan Lee over 1 year ago
Hello fellow Redmine members,
I do understand that adding my ISP issued IP address to the pass list and or suppress list will resolve this. This ticket is open because Snort seems to act as if my ISP address is listed within all of the rules sets at once intermittently.
Updated by Marcos M about 1 year ago
- Related to Bug #14754: Snort security issue bug within tcp/UDP scan detection blocking tool DoS event added
Updated by Jonathan Lee about 1 year ago
https://redmine.pfsense.org/issues/14821
Related Feature Request