SNort: Some newbie assiatance



  • Hi everyone.
    Im new to snort and i have looked trough the posts in the forum and im still trying to grasp how everything works, so please bare with me.
    Ive insatlled tha package and enabled snort on my WAN interface. For the moment ive decided NOT to block any traffic as i just want to monitor the activity and sort out most of the false-psoitives.

    So snort is enabled and i see that there are alot of alerts popping up in the alerts tab (witch i hope means that its working correctly). Ive then tried to google for specific alerts like "(spp_ssl) Invalid Client HELLO after Server HELLO Detected" and try to figure out if the alert is a false-psoitive or not. So far so good.
    I then read in a post that you should disable the rule that created the false positive instead of adding it to the supress list. I guess to save CPU time on something that should not be detected anyway. So i pressed the little red X (Force disable this rule and remove it from the current rules set) on the alert page. When you to that, the red X turns to a yellow X (Rule is forced to a disabled state, Click to remove the force-disable action from this rule). So I guess that i disabled that rule and the alert stopped popping up? But it doesnt. I still get the alerts (hundereds every day).
    I also tried to add the rule to the supression list using the small + (Add this rule to the supression list), but when i do that i get "The following input errors were detected:
    Suppress List 'wansuppress_581cacde375ae' is defined for this interface, but it could not be found!". I gues sthat because i disabled the rule entirley?

    Or maybe the rule is disabled, but i get the alert anyway? (but then the rule cannot be disabled?). Well i bit confused here and i would appritiate some input.
    Also, is there some sort of basic list of alerts that can safely be disabled? Thank you :)



  • reboot pfsense