Netgate Store

Author Topic: SNORT Dynamic WAN IP  (Read 245 times)

0 Members and 1 Guest are viewing this topic.

Offline saduccm

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
SNORT Dynamic WAN IP
« on: January 05, 2018, 03:07:37 am »
Hi,

i have just installed SNORT and configured as best as i can. It also run well for about 1 day, after that i recognized snort i blocking all traffic.
After some researches it seems i got a new WAN IP from my provider and snort didnt recognize that new IP, so it blocked it.

In Snort config i have checked all settings for allowing WAN IPs.

I have also checked in System-Log if packages are reloaded, i also saw an entry there from Snort.

Is there something i a missing or is there another way to restart snort on WAN IP Change?

Offline saduccm

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: SNORT Dynamic WAN IP
« Reply #1 on: January 08, 2018, 03:00:54 am »
Solved, there were some False Positive Alerts which leaded to that Problem.

Offline gryest

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: SNORT Dynamic WAN IP
« Reply #2 on: February 08, 2018, 09:54:25 am »
Hi, I found I have the same problem. I wasn't sure but today internet suddenly stopped when I was online and I found PPPoE is down because WAN IP changed. What happened is: Snort detected new IP connected to website IP I was browsing 5 minutes ago as "port sweep"  and effectively blocked my new WAN IP together with all internet taking down VoiP and Internet radio tuner.

I like to know how to mitigate such problem correctly because next time it can be other false positive or rule trigger same outage.
Is any rule can be added to whitelist WAN IP as alias?
Thanks