4. Snort Suppress List Question

Snort Suppress List Question

  • H

    I'm new to pfSense and even newer to Snort.

    Installed Snort, had it running for a couple days then noticed I wasn't blocking anything.  Just monitoring.

    I enabled blocking and shortly after darn near couldn't pull down any web sites.  So I googled around and found out there are a bunch of false positives so I began to suppress things (based on things I read mostly on this forum).

    So right now I'm pretty much doing most of what I generally do online with no failures.  Last thing I noticed though was my Mac email wasn't working.  Then I cleared the blocks and it started working.  I figured out by trial and error it was the Unknown IMAP4 command so I suppressed it and sure enough email starts working again.

    So I'm a trial and error guy but I am NOT a firewall guy, or a threat monitoring guy so I'm posting my current suppress list in the hopes an expert can tell me what's right or what's wrong or "Oh My God Don't Do That".

    Any advice helps.  Thanks.  I changed my IP to all X's

    #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 3

#(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
suppress gen_id 120, sig_id 8

#(http_inspect) DOUBLE DECODING ATTACK
suppress gen_id 119, sig_id 2

#(http_inspect) UNESCAPED SPACE IN HTTP URI
suppress gen_id 119, sig_id 33

#(http_inspect) PROTOCOL-OTHER HTTP server response before client request 
suppress gen_id 120, sig_id 18

#(spp_ssl) Invalid Client HELLO after Server HELLO Detected
suppress gen_id 137, sig_id 1, track by_src, ip xxx.xxx.xxx.xxxx

#(IMAP) Unknown IMAP4 command
suppress gen_id 141, sig_id 1, track by_src, ip xxx.xxx.xxx.xxx
    0

  • Here is a great thread of Suppress List contributions from some other Snort users:  https://forum.pfsense.org/index.php?topic=56267.0.  This is just my personal opinion – there are lots of issues with the preprocessor rules in Snort.  They seem to alert on a bunch of stuff that is somewhat common on the web today.  There was a lively discussion about two years ago here on the forum about this and other VRT and ET rules that are really obsolete but were never removed from the rules.  These at best consume CPU resources, and at worst can false-positive.

    Bill

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy