Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Setup

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      guardian Rebel Alliance
      last edited by

      I have looked at the "sticky" thread Quick Snort Setup Instructions for New Users, and getting the package installed was very easy.

      My question relates to tuning the rules.  The posts by bmeeks/jflsakfja  that give most of that information are very old:

      Re: Quick Snort Setup Instructions for New Users
      « Reply #2 on: May 29, 2013, 07:23:29 pm »
      QuoteThank You
      The Missing Part to Quick Snort Setup Instructions for New Users

      Quick Snort Setup Instructions for New Users
      « on: April 10, 2013, 09:36:35 pm »
      QuoteThank You
      Here are the steps for a very quick and easy initial setup of the Snort package on pfSense for new users

      How relevant are they today?  Does anyone have a good up-to-date source?

      I have tons of alerts that look like the following:

      2017-02-23
      11:55:30 3 TCP Unknown Traffic 192.168.0.12
        88 192.168.0.10
        3871 120:3
        (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

      2017-02-23
      11:52:08 3 TCP Unknown Traffic 151.101.124.84
        80 192.168.0.15
        34412 119:31
        (http_inspect) UNKNOWN METHOD

      I've looked at the reference pointed to by the rules, and I understand what it's saying, but I'm not really sure of the impact.  I would say they aren't dangerous, but in the case of the first rule it may mean a simpe IOT device has been compromised (or not). How should I best proceed, since the message really doesn't give much more than a hint.

      If you find my post useful, please give it a thumbs up!
      pfSense 2.7.2-RELEASE

      1 Reply Last reply Reply Quote 0
      • U
        u3c307
        last edited by

        First thing of rule in security for me is never use someone else rules or whitelist. You as the administrator of your network should know it best and determine what is good and what is not. From your alert ip:

        2017-02-23
        11:55:30  3  TCP  Unknown Traffic  192.168.0.12
            88  192.168.0.10
            3871  120:3
            (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

        Should .12 accessing .10? Is so then for what reason? Is it device or server compromise? If so did you check logs or do a wireshark capture? Things you need to ask.

        2017-02-23
        11:52:08  3  TCP  Unknown Traffic  151.101.124.84
            80  192.168.0.15
            34412  119:31
            (http_inspect) UNKNOWN METHOD

        151.101.124.84 seems to be pinterest. Is .15 a device that is accessing pinterest at the moment is pinterest block? Content not showing? Most of the time http_inspect are errors with HTTP conversation. But not all the case, sometimes these can be some sort of consolidated attack on your servers or
        possibly of trying to use them in an attack against another server or servers. In this case most likely not and consider safe if it isn't affecting the website or content I just leave it along. Hope that helps.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.