I see a lot of false positives on my systems. It annoys me like hell tbh.
#(http_inspect) UNKNOWN METHOD
suppress gen_id 119, sig_id 31
#(http_inspect) SIMPLE REQUEST
suppress gen_id 119, sig_id 32
(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 3
(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
suppress gen_id 120, sig_id 8
#PSNG_TCP_PORTSWEEP
suppress gen_id 122, sig_id 3
#ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)
suppress gen_id 1, sig_id 2011124
#ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
suppress gen_id 1, sig_id 2002994
#PSNG_TCP_PORTSWEEP_FILTERED
suppress gen_id 122, sig_id 7
#ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
suppress gen_id 1, sig_id 2002994
#FILE-IDENTIFY download of executable content
suppress gen_id 1, sig_id 11192
#FILE-IDENTIFY Portable Executable binary file magic detected
suppress gen_id 1, sig_id 15306
#ET POLICY PE EXE or DLL Windows file download
suppress gen_id 1, sig_id 2000419
#ET INFO Packed Executable Download
suppress gen_id 1, sig_id 2014819
#FILE-IDENTIFY Portable Executable binary file magic detected
suppress gen_id 1, sig_id 15306
This is my suppress list, but its not nearly as long as it should be!
(http_inspect) IIS UNICODE CODEPOINT ENCODING - 02/22-03:06:06 is triggered.
FILE-IDENTIFY download of executable content - 02/02-06:01:51
ET INFO Packed Executable Download - 02/02-06:01:51
ET POLICY PE EXE or DLL Windows file download - 02/02-06:01:51
FILE-IDENTIFY Portable Executable binary file magic detected - 02/02-06:01:51
Is triggered on whitelisted SRC IP's. It blocks Windows Update among other things.
So snort is in my view not working as it should and its CORE functionality for a modern FW.
