pfSense Support Subscription

Author Topic: Installed pfSense and Snort and now YouTube only runs Ads or vids for 60 seconds  (Read 15067 times)

0 Members and 1 Guest are viewing this topic.

Offline eiger3970

  • Full Member
  • ***
  • Posts: 212
  • Karma: +1/-1
    • View Profile
Hi, just installed pfSense and Snort and now YouTube won't play.
YouTube ads play and then the YouTube video won't run.

I rebooted pfSense, Snort and the computer, then YouTube will play the video for 60 seconds, then it's blocked again.

I have tested more computers on the LAN and they also can't play YouTube.
pfSense's CPU and RAM is nowhere over capacity.

Any suggestions?

Offline Jason Litka

  • Hero Member
  • *****
  • Posts: 1294
  • Karma: +53/-1
    • View Profile
    • Utter Ramblings
What snort rules are you using?  What is showing up in your snort block list?  Have you used any of the posted suppression lists to cut down on the MASSIVE number of false-positives that the default IPS Policy rulesets will throw?
I can break anything.

Offline eiger3970

  • Full Member
  • ***
  • Posts: 212
  • Karma: +1/-1
    • View Profile
I am using the standard Snort rules available for download upon installing Snort for the 1st time.

The below code is the Snort Blocked list.
Code: [Select]
1 58.162.61.17   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:12:18 Delete host from Blocked Table
2 58.162.61.13   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:17:41 Delete host from Blocked Table
3 58.162.61.14   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:04:32 Delete host from Blocked Table
4 119.15.68.8   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:17:35 Delete host from Blocked Table
5 8.27.248.254   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:33:38 Delete host from Blocked Table
6 74.125.109.136   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:00:57 Delete host from Blocked Table
7 74.125.109.72   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:02:15 Delete host from Blocked Table
8 119.15.70.30   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:28:37

I don't know about the posted suppression lists to cut down on the MASSIVE number of false-positives that the default IPS Policy rulesets will throw.

I will research to find these, unless someone knows where they are.

Rebooted pfSense and comuter this morning after turning off for the night and same issue.
YouTube runs for 3:43 then freezes. Other videos are also not streaming...only the advertisements at the beginning of the videos.

Should I use the suppression list or the Whitelist to allow some websites? What is the more efficient method?
I have added www.youtube.com into the Whitelist filename, but YouTube still won't show.
« Last Edit: February 13, 2014, 06:47:13 pm by eiger3970 »

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3159
  • Karma: +819/-0
    • View Profile
I am using the standard Snort rules available for download upon installing Snort for the 1st time.

The below code is the Snort Blocked list.
Code: [Select]
1 58.162.61.17   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:12:18 Delete host from Blocked Table
2 58.162.61.13   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:17:41 Delete host from Blocked Table
3 58.162.61.14   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:04:32 Delete host from Blocked Table
4 119.15.68.8   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:17:35 Delete host from Blocked Table
5 8.27.248.254   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:33:38 Delete host from Blocked Table
6 74.125.109.136   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:00:57 Delete host from Blocked Table
7 74.125.109.72   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:02:15 Delete host from Blocked Table
8 119.15.70.30   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:28:37

I don't know about the posted suppression lists to cut down on the MASSIVE number of false-positives that the default IPS Policy rulesets will throw.

I will research to find these, unless someone knows where they are.

Rebooted pfSense and comuter this morning after turning off for the night and same issue.
YouTube runs for 3:43 then freezes. Other videos are also not streaming...only the advertisements at the beginning of the videos.

Should I use the suppression list or the Whitelist to allow some websites? What is the more efficient method?
I have added www.youtube.com into the Whitelist filename, but YouTube still won't show.

You want to add Suppress List entries for those HTTP_INSPECT alerts.  They are considered false positives.  On the ALERTS tab, just click the plus (+) icon next to the GID:SID in the SID column.  That will auto add it to the Suppress List for the interface.  When done adding them, restart Snort on the interface.

You can't really whitelist a domain name.  Snort works only with IP addresses.  It can't realtime decipher a FQDN (fully-qualified domain name) such as "www.youtube.com".  And because a site like YouTube will have a load-balancer in front of a bunch of servers, you can get a different IP address each time you visit the site, or even when you view a different video.  So it becomes a futile task to try and add all the changing IP addresses.


Bill

Offline eiger3970

  • Full Member
  • ***
  • Posts: 212
  • Karma: +1/-1
    • View Profile
Thanks, that seems to have fixed it.

Offline eiger3970

  • Full Member
  • ***
  • Posts: 212
  • Karma: +1/-1
    • View Profile
I had to factory restore pfSense and with a fresh install of pfSense, the same issue occurs.
This tells me Snort was not the problem and that the initial Setup Wizard for pfSense doesn't allow a user to use the Internet?

I find this unusual, as when you plug in a router, away you go.
Then if you want to restrict traffic, you add rules.
It seems pfSense has locked down too much, as I can only browse to a few sites and not access search results on how to make the Internet work?

Any suggestions how to allow Internet on pfSense with a standard default Setup Wizard configuration?

Offline phil.davis

  • Hero Member
  • *****
  • Posts: 4612
  • Karma: +550/-3
    • View Profile
    • International Nepal Fellowship
The factory defaults of pfSense provides full access from any LAN client out WAN to anything on the internet. If your WAN just gets local private DHCP from your ISP router, then make sure to put LAN as a different IP subnet to WAN.
If you really are having trouble with the factory defaults plus wizard setup, then I suggest start a new thread for that. Say what sort of internet connection you have and exactly what you answered in the wizard.
Because it really does work - I have done plenty of these, and many people have done hundreds, and probably thousands.
As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

Offline themod

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
I am using the standard Snort rules available for download upon installing Snort for the 1st time.

The below code is the Snort Blocked list.
Code: [Select]
1 58.162.61.17   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:12:18 Delete host from Blocked Table
2 58.162.61.13   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:17:41 Delete host from Blocked Table
3 58.162.61.14   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:04:32 Delete host from Blocked Table
4 119.15.68.8   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:17:35 Delete host from Blocked Table
5 8.27.248.254   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:33:38 Delete host from Blocked Table
6 74.125.109.136   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:00:57 Delete host from Blocked Table
7 74.125.109.72   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:02:15 Delete host from Blocked Table
8 119.15.70.30   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:28:37

I don't know about the posted suppression lists to cut down on the MASSIVE number of false-positives that the default IPS Policy rulesets will throw.

I will research to find these, unless someone knows where they are.

Rebooted pfSense and comuter this morning after turning off for the night and same issue.
YouTube runs for 3:43 then freezes. Other videos are also not streaming...only the advertisements at the beginning of the videos.

Should I use the suppression list or the Whitelist to allow some websites? What is the more efficient method?
I have added www.youtube.com into the Whitelist filename, but YouTube still won't show.

You want to add Suppress List entries for those HTTP_INSPECT alerts.  They are considered false positives.  On the ALERTS tab, just click the plus (+) icon next to the GID:SID in the SID column.  That will auto add it to the Suppress List for the interface.  When done adding them, restart Snort on the interface.

You can't really whitelist a domain name.  Snort works only with IP addresses.  It can't realtime decipher a FQDN (fully-qualified domain name) such as "www.youtube.com".  And because a site like YouTube will have a load-balancer in front of a bunch of servers, you can get a different IP address each time you visit the site, or even when you view a different video.  So it becomes a futile task to try and add all the changing IP addresses.


Bill

thank you so much for this .
I've been getting blocked on certain sites and I've add the default *.site.com/* to hapv  and still was getting those darn blocks  .
Most of the sites I went to just worked saw a lot of the 120;3 sid  NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE and now I can go to them samsung .ca was one such site or if you went to a site with french/and a english version. so thank you very much
AMD E-350D APU with Radeon(tm) HD Graphics
Current: 960 MHz, Max: 1600 MHz
2 CPUs: 1 package(s) x 2 core(s)
8gig ram/16% of 7756 MB

Offline luke1018

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Hi, may I know are all "http_inspect" are consider False Positive?

In that case mine is not picking up any true alerts.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3159
  • Karma: +819/-0
    • View Profile
Hi, may I know are all "http_inspect" are consider False Positive?

In that case mine is not picking up any true alerts.

The majority of those HTTP_INSPECT alerts are what we call "false positives", but that is probably not 100% accurate.  The alerts tell you that a given web site is doing something potentially against the accepted standards, but then the other side of that coin is almost all the web sites today do not follow the accepted standards to perfection anyway.  So you will get the HTTP_INSPECT alerts frequently even when the detected traffic is in no way malicous.

So must IDS/IPS admins will start suppressing lots of the HTTP_INSPECT alerts simply due to the log noise they generate.

Bill