Snort for a Beginner: Advice on False Alerts
-
I activated Snort on my pfSense server. I'm using a Ubiquiti EdgeRouter Pro as my router, so I'm mirroring switch port 1 (communicates with the router) to send the data to my pfSense server to analyze outside network activity.
Are there any common things that should be eliminated to lower false alerts?
I'm getting the following with a decent amount of frequency:
(http_inspect) UNKNOWN METHOD
(http_inspect) SIMPLE REQUEST
(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
(http_inspect) IIS UNICODE CODEPOINT ENCODING
(http_inspect) DOUBLE DECODING ATTACK
(http_inspect) IIS UNICODE CODEPOINT ENCODING
(http_inspect) TOO MANY PIPELINED REQUESTS
(http_inspect) BARE BYTE UNICODE ENCODING
(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
(http_inspect) JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWEDShould any of the above (or all) be added to the suppress list? I don't want to add something that may be potential for flagging an intrusion attempt.
-
I could be wrong, but I don't think you need to worry about the http_inspect alerts unless you are running a web server.
I am not running a web server and I suppress any alert related to http_inpect when they pop up.
-
I wouldn't say that ALL of the http_inspect rules can be ignored (though like mhertzfeld says, they're probably of greater concern if running a web server to keep an eye on attacks), but many of those rules are designed for strict adherence to specifications that have been flexed in many ways over time to accommodate the tons of applications that use HTTP today as their transport protocol. Your list there is probably the most common ones that can be suppressed without any real concerns.
