SNORT

NogBadTheBad

As Bill said run it in alerting mode.

Dump the data from Services -> Snort -> Alerts into a spreadsheet for a baseline.

I found these to be false positives.

0_1532964928752_a905ca7e-37e7-4366-876e-88444e368779-image.png

^^ didn't know this would happen when copying from a spreadsheet.

HI_CLIENT_DOUBLE_DECODE 119:2
HI_CLIENT_BARE_BYTE 119:4
HI_CLIENT_IIS_UNICODE 119:7
HI_CLIENT_UNKNOWN_METHOD 119:31
HI_CLIENT_SIMPLE_REQUEST 119:32
HI_CLIENT_UNESCAPED_SPACE_IN_URI 119:33
HI_SERVER_NO_CONTLEN 120:3
HI_CLISRV_MSG_SIZE_EXCEPTION 120:8
SSL_INVALID_CLIENT_HELLO 137:1
SSL_INVALID_SERVER_HELLO 137:2

ITlomb

Greetings.

Thank you for this insight.

So this is my question at this moment. If you see my EG below. and it is a malware threat. What is the process that i need to do?
0_1533041830576_c7f105ab-8e17-48ff-b950-eb1ef7291eef-image.png .

Since im seeing this in the Alert logs, Is it just passing through? or is my Firewall/Snort actually doing something with it? When i hover over the + symbol my only option is to suppress. But that means its just going to ignore the alert right?

This is somewhat confusing as looking at this alert i have no clue what to do with it?

Hope this makes sense

Regards

NogBadTheBad

If you're running snort in alerting mode its will only ever warn.

Is the dst address your WAN address or an address on your LAN ?

Surpress means allow and don't log.

Anything marked Malware / Trojan I'd try and locale the host on your LAN ASAP.

Google the SID.

https://www.snort.org/rule_docs/1-31136

ITlomb

Hi NBTB

The dst address is my WAN address.

Is there no way to have, Just like the suppress button, but this time a block button?

Regards

NogBadTheBad

You could use IP reputation and a blacklist :-

0_1533046894652_Untitled 2.jpeg

But do you have something on the LAN thats causing the issue?

Othwewise block on the WAN for all:-

ITlomb

Hi

I have a network of 50 Users. So id need to go through each pc to do a scan.
Thanks for the advice above ill look into this.
:)

NogBadTheBad

Try adding snort on the LAN.

ITlomb

Thank you.

WIll give LAN a bash on SNORT, Not sure if this is wise though.

Regards

jdeloach

@itlomb said in SNORT:

Thank you.

WIll give LAN a bash on SNORT, Not sure if this is wise though.

Regards

The traffic you're seeing on the WAN is just the normal noise on the web and is by default, blocked by pfSense.

By running Snort on the LAN, now you can easily see which computers on your network is generating the traffic that Snort is showing. Then you can take the appropriate action to either stop or allow this traffic through your pfSense.

ITlomb

Greetings.

Thank you . i have enabled the LAN and it does start making sense.

Thank you very much for all your advice. Still much to learn :)