[Snort-users] Plex and Netflix issues

Lucas Smith vedalken at veddysec.net
Sat Jan 19 01:04:14 EST 2019


I also use discord behind a PfSense box running snort and do not have any
sort of issues. I seem to recall that Hulu tended to trigger GID 137 on
SIDs 1 and 2 under the preprocessor though I never did figure out why. Are
you using snort on something like PfSense or a different OS? PfSense to
check blocked hosts would be Services > Snort > Blocked. If you see
something like SSL_INVALID_SERVER_HELLO or SSL_INVALID_CLIENT_HELLO, that
would mean GID137:SIDs 1 and 2 would be good to turn off in the
interface-specific settings. It'll be in preprocessor.rules. Like wkitty42
pointed out though, you'll want to look at the alerts raised first before
jumping to disabling rules.

Hope this helps,

Lucas

On Sun, Jan 13, 2019 at 6:33 AM wkitty42--- via Snort-users <
snort-users at lists.snort.org> wrote:

> On 1/13/19 12:45 AM, Ryan Ritchie via Snort-users wrote:
> >     I just need to figure out why it blocked Discord, Plex and Netflix
> and how
> >     to prevent it from blocking it.
>
>
> you look at the alerts that were raised... once you know the rules that
> triggered the alerts, either disable those rules that were triggered OR
> threshold them for those roku and plex devices' IPs...
>
>
> --
>   NOTE: No off-list assistance is given without prior approval.
>         *Please keep mailing list traffic on the list unless*
>         *a signed and pre-paid contract is in effect with us.*
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
>         To unsubscribe, send an email to:
>         snort-users-leave at lists.snort.org
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
> Please follow these rules:
> https://snort.org/faq/what-is-the-mailing-list-etiquette
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190119/84b14c4e/attachment.html>


More information about the Snort-users mailing list