Snort Setup



  • I have looked at the "sticky" thread Quick Snort Setup Instructions for New Users, and getting the package installed was very easy.

    My question relates to tuning the rules.  The posts by bmeeks/jflsakfja  that give most of that information are very old:

    Re: Quick Snort Setup Instructions for New Users
    « Reply #2 on: May 29, 2013, 07:23:29 pm »
    QuoteThank You
    The Missing Part to Quick Snort Setup Instructions for New Users

    Quick Snort Setup Instructions for New Users
    « on: April 10, 2013, 09:36:35 pm »
    QuoteThank You
    Here are the steps for a very quick and easy initial setup of the Snort package on pfSense for new users

    How relevant are they today?  Does anyone have a good up-to-date source?

    I have tons of alerts that look like the following:

    2017-02-23
    11:55:30 3 TCP Unknown Traffic 192.168.0.12
      88 192.168.0.10
      3871 120:3
      (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

    2017-02-23
    11:52:08 3 TCP Unknown Traffic 151.101.124.84
      80 192.168.0.15
      34412 119:31
      (http_inspect) UNKNOWN METHOD

    I've looked at the reference pointed to by the rules, and I understand what it's saying, but I'm not really sure of the impact.  I would say they aren't dangerous, but in the case of the first rule it may mean a simpe IOT device has been compromised (or not). How should I best proceed, since the message really doesn't give much more than a hint.



  • First thing of rule in security for me is never use someone else rules or whitelist. You as the administrator of your network should know it best and determine what is good and what is not. From your alert ip:

    2017-02-23
    11:55:30  3  TCP  Unknown Traffic  192.168.0.12
        88  192.168.0.10
        3871  120:3
        (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

    Should .12 accessing .10? Is so then for what reason? Is it device or server compromise? If so did you check logs or do a wireshark capture? Things you need to ask.

    2017-02-23
    11:52:08  3  TCP  Unknown Traffic  151.101.124.84
        80  192.168.0.15
        34412  119:31
        (http_inspect) UNKNOWN METHOD

    151.101.124.84 seems to be pinterest. Is .15 a device that is accessing pinterest at the moment is pinterest block? Content not showing? Most of the time http_inspect are errors with HTTP conversation. But not all the case, sometimes these can be some sort of consolidated attack on your servers or
    possibly of trying to use them in an attack against another server or servers. In this case most likely not and consider safe if it isn't affecting the website or content I just leave it along. Hope that helps.