Iposted this in the forums yesterday, but noone answered. Trying this routenow. Havingsome issues with Snort blocking Kerio Webmail after a user has logged in. A user hits the External facing web page via SSL (Port 443) with noissues. Goes through login, gets a display of their email, but afterclicking on 1 or 2, Snort will then flag the IP with the followinginformation:
PROTO:255 (portscan) TCP Filtered Portscan 122:5:0 I turned off Port Scan Preprocessor completely andthe alert stops showing up and the traffic is allowed. Is there a way Ican fine tune the rules to allow this traffic and keep the Port Scan blockeron? Snort Info Services: Snort 2.8.6.1 pkg v. 1.33 SNORT.ORG >>> "8d1ebdd08ac1c861a79e8f0e75f8b5c4" EMERGINGTHREATS.NET >>> 6511 PFSENSE.ORG >>> 102 Tom Norbut, PMP, MCSE IT Manager Lutz Sales, Inc 630-994-4111 (Direct) 630-539-5500 (Main) [email protected] *Check out our Blog: http://lutzsalesorings.blogspot.com *Save paper! Ask your Customer Service representative about new EMAIL INVOICES *Track FedEx & UPS shipments via P.O. number at www.lutzsales.com *Download the O-Ring Handbook or get an RFQ at www.LutzSales.com
<<image001.gif>>
