Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Taming Snort

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 3 Posters 5.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Stewart
      last edited by

      I'm sorry if this has been asked before.  I've searched and plodded through many posts but none seem to have an answer that works for me.

      I'm running 2.3.2-Release with Snort 3.2.9.1_14.  I have Snort enabled on the WAN interface.  I have unchecked everything in WAN categories. I've not touched any rules, variables, preprocs, etc.  In short I have Snort enabled and On but it seems to block a whole bunch of legitimate stuff at its most basic setting.

      For example, running a test at speedtest.bhn.net get blocked. 
      1 97.69.182.4
      (http_inspect) PROTOCOL-OTHER HTTP server response before client request – 2016-10-17 19:49:59
      (http_inspect) UNESCAPED SPACE IN HTTP URI -- 2016-10-17 19:49:58
      (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE -- 2016-10-17 19:49:58

      Some others that have been blocked in just the last little bit:
      2 74.208.213.69
      (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE -- 2016-10-17 19:49:51
      3 17.171.98.35
      (spp_ssl) Invalid Client HELLO after Server HELLO Detected -- 2016-10-17 19:54:17
      4 172.233.133.207
      (spp_ssl) Invalid Client HELLO after Server HELLO Detected -- 2016-10-17 19:56:06
      5 17.248.137.116
      (spp_ssl) Invalid Client HELLO after Server HELLO Detected -- 2016-10-17 19:56:09
      6 17.249.153.246
      (spp_ssl) Invalid Client HELLO after Server HELLO Detected -- 2016-10-17 19:57:13
      7 93.184.216.229
      (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE -- 2016-10-17 20:01:12
      8 72.21.81.253
      (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE -- 2016-10-17 20:03:33
      9 54.245.239.64
      (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE -- 2016-10-17 20:04:00
      10 66.61.170.18
      (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE -- 2016-10-17 20:04:52
      11 52.84.76.191
      (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE -- 2016-10-17 20:04:52

      I only want it to block malicious things like intrusions or infections.  These don't seem like those.  Can someone help me get this sorted?  Thanks.

      Edit:  If it helps, here is my Suppression List:

      suppress gen_id 1, sig_id 536
      suppress gen_id 1, sig_id 648
      suppress gen_id 1, sig_id 653
      suppress gen_id 1, sig_id 1390
      suppress gen_id 1, sig_id 2452
      suppress gen_id 1, sig_id 8375
      suppress gen_id 1, sig_id 11192
      suppress gen_id 1, sig_id 12286
      suppress gen_id 1, sig_id 15147
      suppress gen_id 1, sig_id 15306
      suppress gen_id 1, sig_id 15362
      suppress gen_id 1, sig_id 16313
      suppress gen_id 1, sig_id 16482
      suppress gen_id 1, sig_id 17458
      suppress gen_id 1, sig_id 20583
      suppress gen_id 1, sig_id 23098
      suppress gen_id 1, sig_id 23256
      suppress gen_id 1, sig_id 24889
      suppress gen_id 1, sig_id 2000334
      suppress gen_id 1, sig_id 2000419
      suppress gen_id 1, sig_id 2003195
      suppress gen_id 1, sig_id 2008120
      suppress gen_id 1, sig_id 2008578
      suppress gen_id 1, sig_id 2010516
      suppress gen_id 1, sig_id 2010935
      suppress gen_id 1, sig_id 2010937
      suppress gen_id 1, sig_id 2011716
      suppress gen_id 1, sig_id 2012086
      suppress gen_id 1, sig_id 2012088
      suppress gen_id 1, sig_id 2012141
      suppress gen_id 1, sig_id 2012252
      suppress gen_id 1, sig_id 2012758
      suppress gen_id 1, sig_id 2013222
      suppress gen_id 1, sig_id 2013414
      suppress gen_id 1, sig_id 2014518
      suppress gen_id 1, sig_id 2014520
      suppress gen_id 1, sig_id 2014726
      suppress gen_id 1, sig_id 2014819
      suppress gen_id 1, sig_id 2015561
      suppress gen_id 1, sig_id 2100366
      suppress gen_id 1, sig_id 2100368
      suppress gen_id 1, sig_id 2100651
      suppress gen_id 1, sig_id 2101390
      suppress gen_id 1, sig_id 2101424
      suppress gen_id 1, sig_id 2102314
      suppress gen_id 1, sig_id 2103134
      suppress gen_id 1, sig_id 2103192
      suppress gen_id 1, sig_id 2013504
      suppress gen_id 1, sig_id 2406003
      suppress gen_id 1, sig_id 2406067
      suppress gen_id 1, sig_id 2406069
      suppress gen_id 1, sig_id 2406424
      suppress gen_id 1, sig_id 2500056
      suppress gen_id 1, sig_id 100000230
      suppress gen_id 3, sig_id 14772
      #(http_inspect) DOUBLE DECODING ATTACK
      suppress gen_id 119, sig_id 2
      #(http_inspect) BARE BYTE UNICODE ENCODING
      suppress gen_id 119, sig_id 4
      #(http_inspect) IIS UNICODE CODEPOINT ENCODING
      suppress gen_id 119, sig_id 7
      #(http_inspect) NON-RFC DEFINED CHAR [**]
      suppress gen_id 119, sig_id 14
      #(http_inspect) UNKNOWN METHOD
      suppress gen_id 119, sig_id 31
      #(http_inspect) SIMPLE REQUEST
      suppress gen_id 119, sig_id 32
      #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
      suppress gen_id 120, sig_id 2
      #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
      suppress gen_id 120, sig_id 3
      #(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE
      suppress gen_id 120, sig_id 4
      #(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
      suppress gen_id 120, sig_id 6
      #(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
      suppress gen_id 120, sig_id 8
      #(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
      suppress gen_id 120, sig_id 9
      # Unknown
      suppress gen_id 120, sig_id 10
      suppress gen_id 122, sig_id 19
      suppress gen_id 122, sig_id 21
      suppress gen_id 122, sig_id 22
      suppress gen_id 122, sig_id 23
      suppress gen_id 122, sig_id 26
      #(spp_frag3) Bogus fragmentation packet. Possible BSD attack
      suppress gen_id 123, sig_id 10
      #(smtp) Attempted response buffer overflow: 1448 chars
      suppress gen_id 124, sig_id 3
      #(ftp_telnet) Invalid FTP Command
      suppress gen_id 125, sig_id 2
      #(ssp_ssl) Invalid Client HELLO after Server HELLO Detected
      suppress gen_id 137, sig_id 1
      # Credit Card Numbers
      suppress gen_id 138, sig_id 2
      # U.S. Social Security Numbers (with dashes)
      suppress gen_id 138, sig_id 3
      # U.S. Social Security Numbers (w/out dashes)
      suppress gen_id 138, sig_id 4
      # Email Addresses
      suppress gen_id 138, sig_id 5
      # U.S. Phone Numbers
      suppress gen_id 138, sig_id 6
      #(spp_sip) Maximum dialogs within a session reached
      suppress gen_id 140, sig_id 27
      #(IMAP) Unknown IMAP4 command
      suppress gen_id 141, sig_id 1
      #(http_inspect) SIMPLE REQUEST
      suppress gen_id 119, sig_id 32
      #(http_inspect) UNKNOWN METHOD
      suppress gen_id 119, sig_id 31
      #(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
      suppress gen_id 120, sig_id 8
      #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
      suppress gen_id 120, sig_id 3
      #(http_inspect) DOUBLE DECODING ATTACK
      suppress gen_id 119, sig_id 2
      #(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
      suppress gen_id 120, sig_id 6
      
      1 Reply Last reply Reply Quote 0
      • S
        Stewart
        last edited by

        I guess there is no taming Snort.  All we can do is watch the Alerts and Blocks for a couple of days and disable the alerts causing problems.

        1 Reply Last reply Reply Quote 0
        • MikeV7896M
          MikeV7896
          last edited by

          The best way to tame Snort is to run it in non-blocking mode for a period of time… how long might depend on how busy your network is, or how often various services/sites/etc. are accessed. In non-blocking mode, you'll see the alerts but nothing will be blocked, so users will still connect to sites/services that might be generating the alerts.

          There are a good number of Snort rules that are basically designed to check that protocols are operating as they should based on the RFC for the protocol... and of course some services have bent the rules so many ways to meet the needs of today's connectivity. Often rules about http and SSL can be suppressed... those will probably be a large portion of them. If you use VoIP, then some SIP rules might also show up, depending on how strict your provider adheres to SIP protocol requirements (i.e. my provider prepends the country code to the phone number, so I would see Caller ID too long alerts when receiving calls).

          If you have any concerns about an alert, try and link the IP addresses... i.e. if there's an SSL alert where one IP address is used by an Apple device and the other IP address belongs to Apple, then you're probably safe to suppress the rule (I think Apple's push notifications will trigger a handful of SSL alerts over time). Or an IP phone (or PBX server) and your VoIP provider. I think I suppressed like 15-20 HTTP, SSL, SIP, and other non-critical alerts over the course of a month before I decided to finally turn on Blocking mode.

          The S in IOT stands for Security

          1 Reply Last reply Reply Quote 0
          • U
            u3c307
            last edited by

            I am guessing it's probably your IPS policy you have set or you have set it to balanced. If not check it out and just manually set the ones you want.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.