Taming Snort
-
I'm sorry if this has been asked before. I've searched and plodded through many posts but none seem to have an answer that works for me.
I'm running 2.3.2-Release with Snort 3.2.9.1_14. I have Snort enabled on the WAN interface. I have unchecked everything in WAN categories. I've not touched any rules, variables, preprocs, etc. In short I have Snort enabled and On but it seems to block a whole bunch of legitimate stuff at its most basic setting.
For example, running a test at speedtest.bhn.net get blocked.
1 97.69.182.4
(http_inspect) PROTOCOL-OTHER HTTP server response before client request – 2016-10-17 19:49:59
(http_inspect) UNESCAPED SPACE IN HTTP URI -- 2016-10-17 19:49:58
(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE -- 2016-10-17 19:49:58Some others that have been blocked in just the last little bit:
2 74.208.213.69
(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE -- 2016-10-17 19:49:51
3 17.171.98.35
(spp_ssl) Invalid Client HELLO after Server HELLO Detected -- 2016-10-17 19:54:17
4 172.233.133.207
(spp_ssl) Invalid Client HELLO after Server HELLO Detected -- 2016-10-17 19:56:06
5 17.248.137.116
(spp_ssl) Invalid Client HELLO after Server HELLO Detected -- 2016-10-17 19:56:09
6 17.249.153.246
(spp_ssl) Invalid Client HELLO after Server HELLO Detected -- 2016-10-17 19:57:13
7 93.184.216.229
(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE -- 2016-10-17 20:01:12
8 72.21.81.253
(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE -- 2016-10-17 20:03:33
9 54.245.239.64
(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE -- 2016-10-17 20:04:00
10 66.61.170.18
(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE -- 2016-10-17 20:04:52
11 52.84.76.191
(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE -- 2016-10-17 20:04:52I only want it to block malicious things like intrusions or infections. These don't seem like those. Can someone help me get this sorted? Thanks.
Edit: If it helps, here is my Suppression List:
suppress gen_id 1, sig_id 536 suppress gen_id 1, sig_id 648 suppress gen_id 1, sig_id 653 suppress gen_id 1, sig_id 1390 suppress gen_id 1, sig_id 2452 suppress gen_id 1, sig_id 8375 suppress gen_id 1, sig_id 11192 suppress gen_id 1, sig_id 12286 suppress gen_id 1, sig_id 15147 suppress gen_id 1, sig_id 15306 suppress gen_id 1, sig_id 15362 suppress gen_id 1, sig_id 16313 suppress gen_id 1, sig_id 16482 suppress gen_id 1, sig_id 17458 suppress gen_id 1, sig_id 20583 suppress gen_id 1, sig_id 23098 suppress gen_id 1, sig_id 23256 suppress gen_id 1, sig_id 24889 suppress gen_id 1, sig_id 2000334 suppress gen_id 1, sig_id 2000419 suppress gen_id 1, sig_id 2003195 suppress gen_id 1, sig_id 2008120 suppress gen_id 1, sig_id 2008578 suppress gen_id 1, sig_id 2010516 suppress gen_id 1, sig_id 2010935 suppress gen_id 1, sig_id 2010937 suppress gen_id 1, sig_id 2011716 suppress gen_id 1, sig_id 2012086 suppress gen_id 1, sig_id 2012088 suppress gen_id 1, sig_id 2012141 suppress gen_id 1, sig_id 2012252 suppress gen_id 1, sig_id 2012758 suppress gen_id 1, sig_id 2013222 suppress gen_id 1, sig_id 2013414 suppress gen_id 1, sig_id 2014518 suppress gen_id 1, sig_id 2014520 suppress gen_id 1, sig_id 2014726 suppress gen_id 1, sig_id 2014819 suppress gen_id 1, sig_id 2015561 suppress gen_id 1, sig_id 2100366 suppress gen_id 1, sig_id 2100368 suppress gen_id 1, sig_id 2100651 suppress gen_id 1, sig_id 2101390 suppress gen_id 1, sig_id 2101424 suppress gen_id 1, sig_id 2102314 suppress gen_id 1, sig_id 2103134 suppress gen_id 1, sig_id 2103192 suppress gen_id 1, sig_id 2013504 suppress gen_id 1, sig_id 2406003 suppress gen_id 1, sig_id 2406067 suppress gen_id 1, sig_id 2406069 suppress gen_id 1, sig_id 2406424 suppress gen_id 1, sig_id 2500056 suppress gen_id 1, sig_id 100000230 suppress gen_id 3, sig_id 14772 #(http_inspect) DOUBLE DECODING ATTACK suppress gen_id 119, sig_id 2 #(http_inspect) BARE BYTE UNICODE ENCODING suppress gen_id 119, sig_id 4 #(http_inspect) IIS UNICODE CODEPOINT ENCODING suppress gen_id 119, sig_id 7 #(http_inspect) NON-RFC DEFINED CHAR [**] suppress gen_id 119, sig_id 14 #(http_inspect) UNKNOWN METHOD suppress gen_id 119, sig_id 31 #(http_inspect) SIMPLE REQUEST suppress gen_id 119, sig_id 32 #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE suppress gen_id 120, sig_id 2 #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE suppress gen_id 120, sig_id 3 #(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE suppress gen_id 120, sig_id 4 #(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED suppress gen_id 120, sig_id 6 #(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE suppress gen_id 120, sig_id 8 #(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1 suppress gen_id 120, sig_id 9 # Unknown suppress gen_id 120, sig_id 10 suppress gen_id 122, sig_id 19 suppress gen_id 122, sig_id 21 suppress gen_id 122, sig_id 22 suppress gen_id 122, sig_id 23 suppress gen_id 122, sig_id 26 #(spp_frag3) Bogus fragmentation packet. Possible BSD attack suppress gen_id 123, sig_id 10 #(smtp) Attempted response buffer overflow: 1448 chars suppress gen_id 124, sig_id 3 #(ftp_telnet) Invalid FTP Command suppress gen_id 125, sig_id 2 #(ssp_ssl) Invalid Client HELLO after Server HELLO Detected suppress gen_id 137, sig_id 1 # Credit Card Numbers suppress gen_id 138, sig_id 2 # U.S. Social Security Numbers (with dashes) suppress gen_id 138, sig_id 3 # U.S. Social Security Numbers (w/out dashes) suppress gen_id 138, sig_id 4 # Email Addresses suppress gen_id 138, sig_id 5 # U.S. Phone Numbers suppress gen_id 138, sig_id 6 #(spp_sip) Maximum dialogs within a session reached suppress gen_id 140, sig_id 27 #(IMAP) Unknown IMAP4 command suppress gen_id 141, sig_id 1 #(http_inspect) SIMPLE REQUEST suppress gen_id 119, sig_id 32 #(http_inspect) UNKNOWN METHOD suppress gen_id 119, sig_id 31 #(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE suppress gen_id 120, sig_id 8 #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE suppress gen_id 120, sig_id 3 #(http_inspect) DOUBLE DECODING ATTACK suppress gen_id 119, sig_id 2 #(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED suppress gen_id 120, sig_id 6 -
I guess there is no taming Snort. All we can do is watch the Alerts and Blocks for a couple of days and disable the alerts causing problems.
-
The best way to tame Snort is to run it in non-blocking mode for a period of time… how long might depend on how busy your network is, or how often various services/sites/etc. are accessed. In non-blocking mode, you'll see the alerts but nothing will be blocked, so users will still connect to sites/services that might be generating the alerts.
There are a good number of Snort rules that are basically designed to check that protocols are operating as they should based on the RFC for the protocol... and of course some services have bent the rules so many ways to meet the needs of today's connectivity. Often rules about http and SSL can be suppressed... those will probably be a large portion of them. If you use VoIP, then some SIP rules might also show up, depending on how strict your provider adheres to SIP protocol requirements (i.e. my provider prepends the country code to the phone number, so I would see Caller ID too long alerts when receiving calls).
If you have any concerns about an alert, try and link the IP addresses... i.e. if there's an SSL alert where one IP address is used by an Apple device and the other IP address belongs to Apple, then you're probably safe to suppress the rule (I think Apple's push notifications will trigger a handful of SSL alerts over time). Or an IP phone (or PBX server) and your VoIP provider. I think I suppressed like 15-20 HTTP, SSL, SIP, and other non-critical alerts over the course of a month before I decided to finally turn on Blocking mode.
-
I am guessing it's probably your IPS policy you have set or you have set it to balanced. If not check it out and just manually set the ones you want.
