Results 1 to 5 of 5
  1. #1
    Newbie
    Join Date
    Aug 2020
    Posts
    4

    Default Snort decided UT box was a threat ..?

    Hi all,

    New to UT, so this may be an idiot question.

    In a surprise move, last night my UT box was suddenly unable to route packets to the world at large. It turns out that Snort of my pfSense box suddenly decided the UT box was a threat, and blocked it .. which blocked every client behind it.

    I've been moving from a pfSense-based network to a UT network, having bought a HomePro license and all that. In my 2-week trial, things mostly worked great (still learning a few quirks), and I've been moving services to remove the pfSense box eventually. Network diagram attached at the bottom.

    Before last night, this all worked fine. Somehow, for reasons I can't quite fathom or root cause, Snort really doesn't like UT anymore.

    Has anyone else seen this? Have any tips on even how to root cause this? The IDS logs on the pfSense box are not indicative of anything obvious . . .

    Thanks!
    Attached Images Attached Images

  2. #2
    Untanglit
    Join Date
    Aug 2020
    Posts
    19

    Default

    I've been moving from a pfSense-based network to a UT network, having bought a HomePro license and all that. In my 2-week trial, things mostly worked great (still learning a few quirks), and I've been moving services to remove the pfSense box eventually. Network diagram attached at the bottom.
    Why not go full UT if you're evaluating it to replace pfSense?

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,251

    Default

    Nor should it, the nature of Untangle makes it look like it's ARP poisoning the LAN, Snort is working correctly. This sort of thing is what happens when you start stacking security devices. So you're going to have to configure SNORT to knock it off if you want things to keep spinning like this.

    Or... well... remove one of the security systems.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Newbie
    Join Date
    Aug 2020
    Posts
    4

    Default

    That was the answer I needed. Thanks. I had to disable Snort to enable reconnecting and posting to the forum, so . . .

    I wonder why it was working for 15 days (exactly) before it tripped Snort's paranoia.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,251

    Default

    Probably a definition update somewhere.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2