Snort False-Positives



  • Very sorry if this topic has been covered.  My guess is it has but I can't find an answer.

    In the past few months, more and more, I am getting SNORT alerts and blocks on 1e100.net IPs (which pretty much kills Chrome browsing) and alerts and block on anything …deploy.static.akamaitechnologies.com, which now seems to affect more then just downloads.

    Both, obviously, have huge IP ranges so picking them off one at a time is futile.

    Is there a way to allow the entire domain?  And, if so, should I?  Maybe a better idea is to have people stop using Chrome?

    Should we all just stop using Google everything?

    Miles


  • Banned

    You should disable the offending rules (completely, not for individual IPs). The SID Mgmt tab is a good place to disable completely broken rules.



  • I understand, but if the offensive (or falsely detected offense) is port scanning, are you not opening your entire network to the potentially very harmful hacking staple?

    I think the rule is 122.  Do I really want to shut down that rule?  Seems risky.


  • Banned

    It's already blocked by the firewall (unless you have your network completely open, in which case you have bigger issues than Snort FPs).



  • Makes sense but, if the firewall already blocks something why would Snort not only be detecting it but also blocking it?  That just does not make any sense.  What filters first, the firewall or Snort?  Also, why would it determine that a simple Google search is somehow port scanning?

    Thanks for your help but this is extremely confusing.


  • Banned

    Snort works on a copy of a packet, it doesn't block anything, it merely passes the offenders to snort2c table for pf to handle it. If you want an inline IDS/IPS, use Suricata. (Inline mode needs a supported NIC, plus I would not suggest this if you are using VLAN or shapers, see #6690 and #6023.)