4. Snort Suppress List Question

Snort Suppress List Question

  • H

    I'm new to pfSense and even newer to Snort.

    Installed Snort, had it running for a couple days then noticed I wasn't blocking anything.  Just monitoring.

    I enabled blocking and shortly after darn near couldn't pull down any web sites.  So I googled around and found out there are a bunch of false positives so I began to suppress things (based on things I read mostly on this forum).

    So right now I'm pretty much doing most of what I generally do online with no failures.  Last thing I noticed though was my Mac email wasn't working.  Then I cleared the blocks and it started working.  I figured out by trial and error it was the Unknown IMAP4 command so I suppressed it and sure enough email starts working again.

    So I'm a trial and error guy but I am NOT a firewall guy, or a threat monitoring guy so I'm posting my current suppress list in the hopes an expert can tell me what's right or what's wrong or "Oh My God Don't Do That".

    Any advice helps.  Thanks.  I changed my IP to all X's

    #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 3

#(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
suppress gen_id 120, sig_id 8

#(http_inspect) DOUBLE DECODING ATTACK
suppress gen_id 119, sig_id 2

#(http_inspect) UNESCAPED SPACE IN HTTP URI
suppress gen_id 119, sig_id 33

#(http_inspect) PROTOCOL-OTHER HTTP server response before client request 
suppress gen_id 120, sig_id 18

#(spp_ssl) Invalid Client HELLO after Server HELLO Detected
suppress gen_id 137, sig_id 1, track by_src, ip xxx.xxx.xxx.xxxx

#(IMAP) Unknown IMAP4 command
suppress gen_id 141, sig_id 1, track by_src, ip xxx.xxx.xxx.xxx
    0

  • Here is a great thread of Suppress List contributions from some other Snort users:  https://forum.pfsense.org/index.php?topic=56267.0.  This is just my personal opinion – there are lots of issues with the preprocessor rules in Snort.  They seem to alert on a bunch of stuff that is somewhat common on the web today.  There was a lively discussion about two years ago here on the forum about this and other VRT and ET rules that are really obsolete but were never removed from the rules.  These at best consume CPU resources, and at worst can false-positive.

    Bill

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy