Snort Setup
-
I have looked at the "sticky" thread Quick Snort Setup Instructions for New Users, and getting the package installed was very easy.
My question relates to tuning the rules. The posts by bmeeks/jflsakfja that give most of that information are very old:
Re: Quick Snort Setup Instructions for New Users
« Reply #2 on: May 29, 2013, 07:23:29 pm »
QuoteThank You
The Missing Part to Quick Snort Setup Instructions for New UsersQuick Snort Setup Instructions for New Users
« on: April 10, 2013, 09:36:35 pm »
QuoteThank You
Here are the steps for a very quick and easy initial setup of the Snort package on pfSense for new usersHow relevant are they today? Does anyone have a good up-to-date source?
I have tons of alerts that look like the following:
2017-02-23
11:55:30 3 TCP Unknown Traffic 192.168.0.12
88 192.168.0.10
3871 120:3
(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE2017-02-23
11:52:08 3 TCP Unknown Traffic 151.101.124.84
80 192.168.0.15
34412 119:31
(http_inspect) UNKNOWN METHODI've looked at the reference pointed to by the rules, and I understand what it's saying, but I'm not really sure of the impact. I would say they aren't dangerous, but in the case of the first rule it may mean a simpe IOT device has been compromised (or not). How should I best proceed, since the message really doesn't give much more than a hint.
-
First thing of rule in security for me is never use someone else rules or whitelist. You as the administrator of your network should know it best and determine what is good and what is not. From your alert ip:
2017-02-23
11:55:30 3 TCP Unknown Traffic 192.168.0.12
88 192.168.0.10
3871 120:3
(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSEShould .12 accessing .10? Is so then for what reason? Is it device or server compromise? If so did you check logs or do a wireshark capture? Things you need to ask.
2017-02-23
11:52:08 3 TCP Unknown Traffic 151.101.124.84
80 192.168.0.15
34412 119:31
(http_inspect) UNKNOWN METHOD151.101.124.84 seems to be pinterest. Is .15 a device that is accessing pinterest at the moment is pinterest block? Content not showing? Most of the time http_inspect are errors with HTTP conversation. But not all the case, sometimes these can be some sort of consolidated attack on your servers or
possibly of trying to use them in an attack against another server or servers. In this case most likely not and consider safe if it isn't affecting the website or content I just leave it along. Hope that helps.