pfSense English Support > Firewalling

Installed pfSense and Snort and now YouTube only runs Ads or vids for 60 seconds

(1/2) > >>

eiger3970:
Hi, just installed pfSense and Snort and now YouTube won't play.
YouTube ads play and then the YouTube video won't run.

I rebooted pfSense, Snort and the computer, then YouTube will play the video for 60 seconds, then it's blocked again.

I have tested more computers on the LAN and they also can't play YouTube.
pfSense's CPU and RAM is nowhere over capacity.

Any suggestions?

Jason Litka:
What snort rules are you using?  What is showing up in your snort block list?  Have you used any of the posted suppression lists to cut down on the MASSIVE number of false-positives that the default IPS Policy rulesets will throw?

eiger3970:
I am using the standard Snort rules available for download upon installing Snort for the 1st time.

The below code is the Snort Blocked list.

--- Code: ---1 58.162.61.17   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:12:18 Delete host from Blocked Table
2 58.162.61.13   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:17:41 Delete host from Blocked Table
3 58.162.61.14   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:04:32 Delete host from Blocked Table
4 119.15.68.8   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:17:35 Delete host from Blocked Table
5 8.27.248.254   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:33:38 Delete host from Blocked Table
6 74.125.109.136   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:00:57 Delete host from Blocked Table
7 74.125.109.72   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:02:15 Delete host from Blocked Table
8 119.15.70.30   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:28:37

--- End code ---

I don't know about the posted suppression lists to cut down on the MASSIVE number of false-positives that the default IPS Policy rulesets will throw.

I will research to find these, unless someone knows where they are.

Rebooted pfSense and comuter this morning after turning off for the night and same issue.
YouTube runs for 3:43 then freezes. Other videos are also not streaming...only the advertisements at the beginning of the videos.

Should I use the suppression list or the Whitelist to allow some websites? What is the more efficient method?
I have added www.youtube.com into the Whitelist filename, but YouTube still won't show.

bmeeks:

--- Quote from: eiger3970 on February 13, 2014, 04:10:37 pm ---I am using the standard Snort rules available for download upon installing Snort for the 1st time.

The below code is the Snort Blocked list.

--- Code: ---1 58.162.61.17   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:12:18 Delete host from Blocked Table
2 58.162.61.13   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:17:41 Delete host from Blocked Table
3 58.162.61.14   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:04:32 Delete host from Blocked Table
4 119.15.68.8   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:17:35 Delete host from Blocked Table
5 8.27.248.254   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:33:38 Delete host from Blocked Table
6 74.125.109.136   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:00:57 Delete host from Blocked Table
7 74.125.109.72   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:02:15 Delete host from Blocked Table
8 119.15.70.30   Resolve host via reverse DNS lookup (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 02/14/14-08:28:37

--- End code ---

I don't know about the posted suppression lists to cut down on the MASSIVE number of false-positives that the default IPS Policy rulesets will throw.

I will research to find these, unless someone knows where they are.

Rebooted pfSense and comuter this morning after turning off for the night and same issue.
YouTube runs for 3:43 then freezes. Other videos are also not streaming...only the advertisements at the beginning of the videos.

Should I use the suppression list or the Whitelist to allow some websites? What is the more efficient method?
I have added www.youtube.com into the Whitelist filename, but YouTube still won't show.

--- End quote ---

You want to add Suppress List entries for those HTTP_INSPECT alerts.  They are considered false positives.  On the ALERTS tab, just click the plus (+) icon next to the GID:SID in the SID column.  That will auto add it to the Suppress List for the interface.  When done adding them, restart Snort on the interface.

You can't really whitelist a domain name.  Snort works only with IP addresses.  It can't realtime decipher a FQDN (fully-qualified domain name) such as "www.youtube.com".  And because a site like YouTube will have a load-balancer in front of a bunch of servers, you can get a different IP address each time you visit the site, or even when you view a different video.  So it becomes a futile task to try and add all the changing IP addresses.


Bill

eiger3970:
Thanks, that seems to have fixed it.

Navigation

[0] Message Index

[#] Next page

Go to full version