Rule 3466 blocking Rift, v. popular MMO game

tentimes · 09-04-2011, 10:28 AM

Hi,

I just wanted to let whoever works on this thing know that in order to be able to play Rift, an extremely popular MMO title, I had to disable rule 3466 as it prevents the patcher from logging you in and hence makes the game unplayable.

Could this be changed or updated? I have disabled the rule. Is there an area for reporting false positives? This would seem a useful feature, especially if a AAA game is getting blocked.

Thanks.

drsminkus · 09-04-2011, 10:41 AM

These are rules that come from Snort's rule database. It does appear that this rule has been deleted from their ruleset online but that update has not been applied to Untangle.

http://www.snort.org/search/sid/3466?r=1

sky-knight · 09-04-2011, 10:41 AM

It's an IDS, they false positive by their nature. If you don't want to manage it, turn the module off and move on.

The change here, is that in 9.0 the module actually works! In 8.0 and prior releases of Untangle the IDS really didn't do much of anything.

tentimes · 09-05-2011, 03:23 AM

I didn't say I want to turn it off. It would do no harm to make it more user friendly though and have a simple process for declaring false positives. That's what I would do if it was my code and I was trying to make it user friendly and keep selling it or something like that.

Just a suggestion. "Turn it off!" seems a bit drastic.

drsminkus · 09-05-2011, 08:03 AM

sky-knight is correct. An IDS will always throw some false-positives. It is the nature of the beast. Often rules are written in a fuzzy manner that can match some legitimate traffic. Quite often Snort releases a rule that they think will detect an attack and once the rule is on millions of boxes it is determined that it detects a lot of legitimate traffic. Just as was the case with this rule it has now been deleted from the Snort rule database. The appropriate action if you feel a rule is inappropriate is to submit a request to Snort since they manage the database.

An IDS is something that should be monitored and you should act upon IDS logs. An IDS does absolutely no good if the logs are not monitored and you are not willing to actively manage it by turning rules on/off. I'm sorry if you think turning it off sounds a bit drastic but IDS is one of those features that is great for people who want to manage it and is completely pointless for those that don't. Not every module is a good idea for every user.

dmorris · 09-05-2011, 08:44 AM

http://forums.untangle.com/intrusion...ion-9-0-a.html

tentimes · 09-07-2011, 05:34 AM

I've put a suggestion in that thread regarding this experience. Hopefully it is constructive and can help development

09-04-2011, 10:28 AM	#1 (permalink)
tentimes Untanglit Join Date: Sep 2011 Posts: 28	Rule 3466 blocking Rift, v. popular MMO game Hi, I just wanted to let whoever works on this thing know that in order to be able to play Rift, an extremely popular MMO title, I had to disable rule 3466 as it prevents the patcher from logging you in and hence makes the game unplayable. Could this be changed or updated? I have disabled the rule. Is there an area for reporting false positives? This would seem a useful feature, especially if a AAA game is getting blocked. Thanks.

09-04-2011, 10:41 AM	#3 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 15,457	It's an IDS, they false positive by their nature. If you don't want to manage it, turn the module off and move on. The change here, is that in 9.0 the module actually works! In 8.0 and prior releases of Untangle the IDS really didn't do much of anything. __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879

09-05-2011, 08:44 AM	#6 (permalink)
dmorris Untangle Junkie Join Date: Nov 2006 Location: San Mateo, CA URLs submitted: 10 Posts: 10,612	http://forums.untangle.com/intrusion...ion-9-0-a.html __________________ Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself. If you need Untangle support please call or email support@untangle.com

Protect

Filter

Perform

Connect

Manage

Add-Ons

09-04-2011, 10:41 AM	#2 (permalink)
drsminkus Master Untangler Join Date: Aug 2011 Location: Buckhannon, WV Posts: 121	These are rules that come from Snort's rule database. It does appear that this rule has been deleted from their ruleset online but that update has not been applied to Untangle. http://www.snort.org/search/sid/3466?r=1

09-05-2011, 03:23 AM	#4 (permalink)
tentimes Untanglit Join Date: Sep 2011 Posts: 28	I didn't say I want to turn it off. It would do no harm to make it more user friendly though and have a simple process for declaring false positives. That's what I would do if it was my code and I was trying to make it user friendly and keep selling it or something like that. Just a suggestion. "Turn it off!" seems a bit drastic.

09-05-2011, 08:03 AM	#5 (permalink)
drsminkus Master Untangler Join Date: Aug 2011 Location: Buckhannon, WV Posts: 121	sky-knight is correct. An IDS will always throw some false-positives. It is the nature of the beast. Often rules are written in a fuzzy manner that can match some legitimate traffic. Quite often Snort releases a rule that they think will detect an attack and once the rule is on millions of boxes it is determined that it detects a lot of legitimate traffic. Just as was the case with this rule it has now been deleted from the Snort rule database. The appropriate action if you feel a rule is inappropriate is to submit a request to Snort since they manage the database. An IDS is something that should be monitored and you should act upon IDS logs. An IDS does absolutely no good if the logs are not monitored and you are not willing to actively manage it by turning rules on/off. I'm sorry if you think turning it off sounds a bit drastic but IDS is one of those features that is great for people who want to manage it and is completely pointless for those that don't. Not every module is a good idea for every user.

09-07-2011, 05:34 AM	#7 (permalink)
tentimes Untanglit Join Date: Sep 2011 Posts: 28	I've put a suggestion in that thread regarding this experience. Hopefully it is constructive and can help development