[Snort-users] Plex and Netflix issues

Lucas Smith vedalken at veddysec.net
Sun Jan 20 17:42:27 EST 2019


With Discord, as long as you know the server you're connecting to for voice
traffic, yes. If it's triggering GID 137 rules in the preprocessor though,
you're probably better off turning those rules off instead of trying to
whitelist because I know those rules will also hit Hulu and a few other
streaming services which use CDNs. Not sure on if suppressing would be
viable as a fix. Others may know a better option than I on this.

Lucas

On Sat, Jan 19, 2019 at 12:15 AM Ryan Ritchie <ryno5514 at gmail.com> wrote:

> Thanks,
>
> I will look into the edits. Is there a better way to filter the traffic
> from said apps to make sure it is that traffic?
>
> On Fri, Jan 18, 2019, 11:05 PM Lucas Smith via Snort-users <
> snort-users at lists.snort.org wrote:
>
>> I also use discord behind a PfSense box running snort and do not have any
>> sort of issues. I seem to recall that Hulu tended to trigger GID 137 on
>> SIDs 1 and 2 under the preprocessor though I never did figure out why. Are
>> you using snort on something like PfSense or a different OS? PfSense to
>> check blocked hosts would be Services > Snort > Blocked. If you see
>> something like SSL_INVALID_SERVER_HELLO or SSL_INVALID_CLIENT_HELLO, that
>> would mean GID137:SIDs 1 and 2 would be good to turn off in the
>> interface-specific settings. It'll be in preprocessor.rules. Like wkitty42
>> pointed out though, you'll want to look at the alerts raised first before
>> jumping to disabling rules.
>>
>> Hope this helps,
>>
>> Lucas
>>
>> On Sun, Jan 13, 2019 at 6:33 AM wkitty42--- via Snort-users <
>> snort-users at lists.snort.org> wrote:
>>
>>> On 1/13/19 12:45 AM, Ryan Ritchie via Snort-users wrote:
>>> >     I just need to figure out why it blocked Discord, Plex and Netflix
>>> and how
>>> >     to prevent it from blocking it.
>>>
>>>
>>> you look at the alerts that were raised... once you know the rules that
>>> triggered the alerts, either disable those rules that were triggered OR
>>> threshold them for those roku and plex devices' IPs...
>>>
>>>
>>> --
>>>   NOTE: No off-list assistance is given without prior approval.
>>>         *Please keep mailing list traffic on the list unless*
>>>         *a signed and pre-paid contract is in effect with us.*
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.snort.org
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.snort.org/mailman/listinfo/snort-users
>>>
>>>         To unsubscribe, send an email to:
>>>         snort-users-leave at lists.snort.org
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>> Please follow these rules:
>>> https://snort.org/faq/what-is-the-mailing-list-etiquette
>>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.snort.org
>> Go to this URL to change user options or unsubscribe:
>> https://lists.snort.org/mailman/listinfo/snort-users
>>
>>         To unsubscribe, send an email to:
>>         snort-users-leave at lists.snort.org
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>> Please follow these rules:
>> https://snort.org/faq/what-is-the-mailing-list-etiquette
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190120/1bbbb7fa/attachment.html>


More information about the Snort-users mailing list