Snort Suppress List Question



  • I'm new to pfSense and even newer to Snort.

    Installed Snort, had it running for a couple days then noticed I wasn't blocking anything.  Just monitoring.

    I enabled blocking and shortly after darn near couldn't pull down any web sites.  So I googled around and found out there are a bunch of false positives so I began to suppress things (based on things I read mostly on this forum).

    So right now I'm pretty much doing most of what I generally do online with no failures.  Last thing I noticed though was my Mac email wasn't working.  Then I cleared the blocks and it started working.  I figured out by trial and error it was the Unknown IMAP4 command so I suppressed it and sure enough email starts working again.

    So I'm a trial and error guy but I am NOT a firewall guy, or a threat monitoring guy so I'm posting my current suppress list in the hopes an expert can tell me what's right or what's wrong or "Oh My God Don't Do That".

    Any advice helps.  Thanks.  I changed my IP to all X's

    #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
    suppress gen_id 120, sig_id 3
    
    #(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
    suppress gen_id 120, sig_id 8
    
    #(http_inspect) DOUBLE DECODING ATTACK
    suppress gen_id 119, sig_id 2
    
    #(http_inspect) UNESCAPED SPACE IN HTTP URI
    suppress gen_id 119, sig_id 33
    
    #(http_inspect) PROTOCOL-OTHER HTTP server response before client request 
    suppress gen_id 120, sig_id 18
    
    #(spp_ssl) Invalid Client HELLO after Server HELLO Detected
    suppress gen_id 137, sig_id 1, track by_src, ip xxx.xxx.xxx.xxxx
    
    #(IMAP) Unknown IMAP4 command
    suppress gen_id 141, sig_id 1, track by_src, ip xxx.xxx.xxx.xxx
    
    


  • Here is a great thread of Suppress List contributions from some other Snort users:  https://forum.pfsense.org/index.php?topic=56267.0.  This is just my personal opinion – there are lots of issues with the preprocessor rules in Snort.  They seem to alert on a bunch of stuff that is somewhat common on the web today.  There was a lively discussion about two years ago here on the forum about this and other VRT and ET rules that are really obsolete but were never removed from the rules.  These at best consume CPU resources, and at worst can false-positive.

    Bill