Jump to content
Not connected, Your IP: 3.140.242.165
AirVPN
Sign in to follow this  
Followers 0
fdem

pfSense + Snort: (spp_frag3) Fragmentation overlap.

By fdem, ... in Troubleshooting and Problems

Recommended Posts

fdem    0

fdem
Posted ...

Hi,

 

I'm using pfSense 2.1.4-RELEASE (amd64) + pfblocker + snort.

When using AirVPN from a Win7-64bit machine inside my LAN network (official OpenVPN client v. 2.3.4-I001), after a few minutes, I get this messages in the Service --> Snort --> Blocked:

  • (spp_frag3) Fragmentation overlap or
  • (spp_frag3) Fragmentation overlap + (spp_frag3) Teardrop attack.

In this situation the OpenVPN client on the Win7 machine stops working (yellow icon).

Three days ago pfSense notified me "PF was wedged/busy and has been reset"

I had to restart pfSense!!! :-(

pfblocker filters:

  • Bluetack IP Filter
  • ET blockrules compromised
  • ET fwrules emerging Block IPs

SNORT rules: VRT paid Subscriber + ETOpen.

 

Thanks.

Share this post

Link to post

pfSense_fan    181

pfSense_fan
Posted ...

I used snort for over a year on pfSense while connected to AirVPN (now using Suricata) and never had this issue.

 

This begs the questions though... why use the Windows OpenVPN Client when you can use pfSense to connect instead? Your connection is safer using pfense as the OpenVPN client.

 

Another thing to point out... unless you pay for bluetack, the free bluetack lists are a year to two years out dated. Bluetack became a premium service some time ago and the free lists have not been updated since.

 

 

Also... reading up just now what a teardrop attack is, you most likely get that warning because your bootloader and system tunables are not optimized for your system.

 

Really though, use pfSense as the OpenVPN client and this will go away.

Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post

Link to post

fdem    0

fdem
Posted ...

Hi pfSense_fan

 

sorry for my late reply. Yes I'm going to implement your solution, so pfSense will be connected to AirVPN as a client.

 

But, I'm wondering why my bootloader and system tunables are not optimized for my system...

 

My setup:

 

pfSense firewall 2.1.5-RELEASE (amd64)
motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (WiFi) ~ Hard Disk: Western Digital WD10JFCX Red.

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  
Followers 0
Go To Topic Listing
×
×
  • Create New...