Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort Suppress List Question

    IDS/IPS
    2
    2
    7118
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hagensieker last edited by

      I'm new to pfSense and even newer to Snort.

      Installed Snort, had it running for a couple days then noticed I wasn't blocking anything.  Just monitoring.

      I enabled blocking and shortly after darn near couldn't pull down any web sites.  So I googled around and found out there are a bunch of false positives so I began to suppress things (based on things I read mostly on this forum).

      So right now I'm pretty much doing most of what I generally do online with no failures.  Last thing I noticed though was my Mac email wasn't working.  Then I cleared the blocks and it started working.  I figured out by trial and error it was the Unknown IMAP4 command so I suppressed it and sure enough email starts working again.

      So I'm a trial and error guy but I am NOT a firewall guy, or a threat monitoring guy so I'm posting my current suppress list in the hopes an expert can tell me what's right or what's wrong or "Oh My God Don't Do That".

      Any advice helps.  Thanks.  I changed my IP to all X's

      #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 3

#(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
suppress gen_id 120, sig_id 8

#(http_inspect) DOUBLE DECODING ATTACK
suppress gen_id 119, sig_id 2

#(http_inspect) UNESCAPED SPACE IN HTTP URI
suppress gen_id 119, sig_id 33

#(http_inspect) PROTOCOL-OTHER HTTP server response before client request 
suppress gen_id 120, sig_id 18

#(spp_ssl) Invalid Client HELLO after Server HELLO Detected
suppress gen_id 137, sig_id 1, track by_src, ip xxx.xxx.xxx.xxxx

#(IMAP) Unknown IMAP4 command
suppress gen_id 141, sig_id 1, track by_src, ip xxx.xxx.xxx.xxx
      1 Reply Last reply Reply Quote 1
      • bmeeks
        bmeeks last edited by

        Here is a great thread of Suppress List contributions from some other Snort users:  https://forum.pfsense.org/index.php?topic=56267.0.  This is just my personal opinion – there are lots of issues with the preprocessor rules in Snort.  They seem to alert on a bunch of stuff that is somewhat common on the web today.  There was a lively discussion about two years ago here on the forum about this and other VRT and ET rules that are really obsolete but were never removed from the rules.  These at best consume CPU resources, and at worst can false-positive.

        Bill

        1 Reply Last reply Reply Quote 1
        • First post
          Last post

        Products

        • Platform Overview
        • TNSR
        • pfSense
        • Appliances

        Services

        • Training
        • Professional Services

        Support

        • Subscription Plans
        • Contact Support
        • Product Lifecycle
        • Documentation

        News

        • Media Coverage
        • Press
        • Events

        Resources

        • Blog
        • FAQ
        • Find a Partner
        • Resource Library
        • Security Information

        Company

        • About Us
        • Careers
        • Partners
        • Contact Us
        • Legal
        Our Mission

        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

        Subscribe to our Newsletter

        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

        © 2021 Rubicon Communications, LLC | Privacy Policy