Taming Snort



  • I'm sorry if this has been asked before.  I've searched and plodded through many posts but none seem to have an answer that works for me.

    I'm running 2.3.2-Release with Snort 3.2.9.1_14.  I have Snort enabled on the WAN interface.  I have unchecked everything in WAN categories. I've not touched any rules, variables, preprocs, etc.  In short I have Snort enabled and On but it seems to block a whole bunch of legitimate stuff at its most basic setting.

    For example, running a test at speedtest.bhn.net get blocked. 
    1 97.69.182.4
    (http_inspect) PROTOCOL-OTHER HTTP server response before client request – 2016-10-17 19:49:59
    (http_inspect) UNESCAPED SPACE IN HTTP URI -- 2016-10-17 19:49:58
    (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE -- 2016-10-17 19:49:58

    Some others that have been blocked in just the last little bit:
    2 74.208.213.69
    (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE -- 2016-10-17 19:49:51
    3 17.171.98.35
    (spp_ssl) Invalid Client HELLO after Server HELLO Detected -- 2016-10-17 19:54:17
    4 172.233.133.207
    (spp_ssl) Invalid Client HELLO after Server HELLO Detected -- 2016-10-17 19:56:06
    5 17.248.137.116
    (spp_ssl) Invalid Client HELLO after Server HELLO Detected -- 2016-10-17 19:56:09
    6 17.249.153.246
    (spp_ssl) Invalid Client HELLO after Server HELLO Detected -- 2016-10-17 19:57:13
    7 93.184.216.229
    (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE -- 2016-10-17 20:01:12
    8 72.21.81.253
    (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE -- 2016-10-17 20:03:33
    9 54.245.239.64
    (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE -- 2016-10-17 20:04:00
    10 66.61.170.18
    (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE -- 2016-10-17 20:04:52
    11 52.84.76.191
    (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE -- 2016-10-17 20:04:52

    I only want it to block malicious things like intrusions or infections.  These don't seem like those.  Can someone help me get this sorted?  Thanks.

    Edit:  If it helps, here is my Suppression List:

    suppress gen_id 1, sig_id 536
    suppress gen_id 1, sig_id 648
    suppress gen_id 1, sig_id 653
    suppress gen_id 1, sig_id 1390
    suppress gen_id 1, sig_id 2452
    suppress gen_id 1, sig_id 8375
    suppress gen_id 1, sig_id 11192
    suppress gen_id 1, sig_id 12286
    suppress gen_id 1, sig_id 15147
    suppress gen_id 1, sig_id 15306
    suppress gen_id 1, sig_id 15362
    suppress gen_id 1, sig_id 16313
    suppress gen_id 1, sig_id 16482
    suppress gen_id 1, sig_id 17458
    suppress gen_id 1, sig_id 20583
    suppress gen_id 1, sig_id 23098
    suppress gen_id 1, sig_id 23256
    suppress gen_id 1, sig_id 24889
    suppress gen_id 1, sig_id 2000334
    suppress gen_id 1, sig_id 2000419
    suppress gen_id 1, sig_id 2003195
    suppress gen_id 1, sig_id 2008120
    suppress gen_id 1, sig_id 2008578
    suppress gen_id 1, sig_id 2010516
    suppress gen_id 1, sig_id 2010935
    suppress gen_id 1, sig_id 2010937
    suppress gen_id 1, sig_id 2011716
    suppress gen_id 1, sig_id 2012086
    suppress gen_id 1, sig_id 2012088
    suppress gen_id 1, sig_id 2012141
    suppress gen_id 1, sig_id 2012252
    suppress gen_id 1, sig_id 2012758
    suppress gen_id 1, sig_id 2013222
    suppress gen_id 1, sig_id 2013414
    suppress gen_id 1, sig_id 2014518
    suppress gen_id 1, sig_id 2014520
    suppress gen_id 1, sig_id 2014726
    suppress gen_id 1, sig_id 2014819
    suppress gen_id 1, sig_id 2015561
    suppress gen_id 1, sig_id 2100366
    suppress gen_id 1, sig_id 2100368
    suppress gen_id 1, sig_id 2100651
    suppress gen_id 1, sig_id 2101390
    suppress gen_id 1, sig_id 2101424
    suppress gen_id 1, sig_id 2102314
    suppress gen_id 1, sig_id 2103134
    suppress gen_id 1, sig_id 2103192
    suppress gen_id 1, sig_id 2013504
    suppress gen_id 1, sig_id 2406003
    suppress gen_id 1, sig_id 2406067
    suppress gen_id 1, sig_id 2406069
    suppress gen_id 1, sig_id 2406424
    suppress gen_id 1, sig_id 2500056
    suppress gen_id 1, sig_id 100000230
    suppress gen_id 3, sig_id 14772
    #(http_inspect) DOUBLE DECODING ATTACK
    suppress gen_id 119, sig_id 2
    #(http_inspect) BARE BYTE UNICODE ENCODING
    suppress gen_id 119, sig_id 4
    #(http_inspect) IIS UNICODE CODEPOINT ENCODING
    suppress gen_id 119, sig_id 7
    #(http_inspect) NON-RFC DEFINED CHAR [**]
    suppress gen_id 119, sig_id 14
    #(http_inspect) UNKNOWN METHOD
    suppress gen_id 119, sig_id 31
    #(http_inspect) SIMPLE REQUEST
    suppress gen_id 119, sig_id 32
    #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
    suppress gen_id 120, sig_id 2
    #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
    suppress gen_id 120, sig_id 3
    #(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE
    suppress gen_id 120, sig_id 4
    #(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
    suppress gen_id 120, sig_id 6
    #(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
    suppress gen_id 120, sig_id 8
    #(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
    suppress gen_id 120, sig_id 9
    # Unknown
    suppress gen_id 120, sig_id 10
    suppress gen_id 122, sig_id 19
    suppress gen_id 122, sig_id 21
    suppress gen_id 122, sig_id 22
    suppress gen_id 122, sig_id 23
    suppress gen_id 122, sig_id 26
    #(spp_frag3) Bogus fragmentation packet. Possible BSD attack
    suppress gen_id 123, sig_id 10
    #(smtp) Attempted response buffer overflow: 1448 chars
    suppress gen_id 124, sig_id 3
    #(ftp_telnet) Invalid FTP Command
    suppress gen_id 125, sig_id 2
    #(ssp_ssl) Invalid Client HELLO after Server HELLO Detected
    suppress gen_id 137, sig_id 1
    # Credit Card Numbers
    suppress gen_id 138, sig_id 2
    # U.S. Social Security Numbers (with dashes)
    suppress gen_id 138, sig_id 3
    # U.S. Social Security Numbers (w/out dashes)
    suppress gen_id 138, sig_id 4
    # Email Addresses
    suppress gen_id 138, sig_id 5
    # U.S. Phone Numbers
    suppress gen_id 138, sig_id 6
    #(spp_sip) Maximum dialogs within a session reached
    suppress gen_id 140, sig_id 27
    #(IMAP) Unknown IMAP4 command
    suppress gen_id 141, sig_id 1
    #(http_inspect) SIMPLE REQUEST
    suppress gen_id 119, sig_id 32
    #(http_inspect) UNKNOWN METHOD
    suppress gen_id 119, sig_id 31
    #(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
    suppress gen_id 120, sig_id 8
    #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
    suppress gen_id 120, sig_id 3
    #(http_inspect) DOUBLE DECODING ATTACK
    suppress gen_id 119, sig_id 2
    #(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
    suppress gen_id 120, sig_id 6
    


  • I guess there is no taming Snort.  All we can do is watch the Alerts and Blocks for a couple of days and disable the alerts causing problems.



  • The best way to tame Snort is to run it in non-blocking mode for a period of time… how long might depend on how busy your network is, or how often various services/sites/etc. are accessed. In non-blocking mode, you'll see the alerts but nothing will be blocked, so users will still connect to sites/services that might be generating the alerts.

    There are a good number of Snort rules that are basically designed to check that protocols are operating as they should based on the RFC for the protocol... and of course some services have bent the rules so many ways to meet the needs of today's connectivity. Often rules about http and SSL can be suppressed... those will probably be a large portion of them. If you use VoIP, then some SIP rules might also show up, depending on how strict your provider adheres to SIP protocol requirements (i.e. my provider prepends the country code to the phone number, so I would see Caller ID too long alerts when receiving calls).

    If you have any concerns about an alert, try and link the IP addresses... i.e. if there's an SSL alert where one IP address is used by an Apple device and the other IP address belongs to Apple, then you're probably safe to suppress the rule (I think Apple's push notifications will trigger a handful of SSL alerts over time). Or an IP phone (or PBX server) and your VoIP provider. I think I suppressed like 15-20 HTTP, SSL, SIP, and other non-critical alerts over the course of a month before I decided to finally turn on Blocking mode.



  • I am guessing it's probably your IPS policy you have set or you have set it to balanced. If not check it out and just manually set the ones you want.


Log in to reply