SNORT blocking too much



  • Hello!

    Is there a feature available to use a life whitelist in snort?
    SNORT is blocking too much for me, for example netflix. As *.netflix.com is not enough, any ideas here?

    thanks



  • That's odd it does not block that ever for me. Your browser may be allowing local IP out or the like. You can suppress rules with Snort but I would check why it is firing off a block too.
    Suppress is the quick fix until you have time to check why and such. White-list I think uses less resources if suppress list gets larger. I tend to check out more before I just white-list a program.

    ps. netflix here on firefox with basic profile(almost default) and noscript.
    Firewall blocking QUIC (google protocol) and port 80,443 allow only.


  • LAYER 8 Global Moderator

    "any ideas here?"

    Yeah just put it monitor mode until you have adjusted the rules..


  • Banned

    @johnpoz:

    "any ideas here?"

    Yeah just put it monitor mode until you have adjusted the rules..

    Agreed, it'll take a bit to figure out which rules are giving you false positives.

    Streaming rules & checksum rules are common culprits of false positives.



  • Hi!

    Hm, is there maybe a other IDS for pfsense available?
    I was expecting white and blacklists in the patterns like on pfblocker.

    For Example snort is blocking netflix traffic for me. But the domain names and IPs are not always the same.
    So it s always a handwork, no more handy way possible?


  • LAYER 8 Netgate

    That's not what snort does. It looks for "patterns." Find the pattern that is generating undesirable blocks, look at what it is actually matching on, decide, for yourself, based on YOUR threat model, whether it is something you do or do not need to match on, and if so, deal with it. If not, add it to the suppression list.

    And as has been suggested, turn off blocking until traffic isn't generating undesirable alerts. Then enable blocking.


  • LAYER 8 Global Moderator

    IPS/IDS is not something that can be idiot proofed.. Its not a web content filter where you pick categories.. Block porn, allow netflix ;)

    Yes the different signatures fall into different categories..

    Tweaking a IPS to provide protection with as few as possible false positives is for sure a skill that has to be honed..  Your not going to pick it up over night, and you sure an the hell can not just put snort into blocking mode without issues out of the gate.

    You need to run it in monitor mode.. Look at what it shows as hits, weed out the false or noise because of your type of traffic and go from there.  It will require unending management to keep it running smooth..  Even so your going to to run into stuff that is blocked that might be legit traffic you want/need to allow.


  • Banned

    @interessierter:

    Hm, is there maybe a other IDS for pfsense available?

    Yes, there's suricata as well. But it won't solve your problem. IPS in general requires you to decide what is a false positive for you and what needs to be blocked.

    That being said there are several threads on the forum where experienced members have posted lists of rules that can be safely disabled for the average user.

    You can check them out but will have to decide for yourself whether or not they work for you.

    From what you've stated about netflix troubles a starting place might be disabling the entire stream-events.rules (if you are using et-open rules?). But you'll need to do more than that.

    https://forum.pfsense.org/index.php?topic=56267.0

    https://forum.pfsense.org/index.php?topic=61018.0

    https://forum.pfsense.org/index.php?topic=64674.0

    https://github.com/jflsakfja/suricata-rules/blob/master/list.txt

    That's some good stuff to read.



  • @johnpoz:

    IPS/IDS is not something that can be idiot proofed.. Its not a web content filter where you pick categories.. Block porn, allow netflix ;)

    Yes the different signatures fall into different categories..

    Tweaking a IPS to provide protection with as few as possible false positives is for sure a skill that has to be honed..  Your not going to pick it up over night, and you sure an the hell can not just put snort into blocking mode without issues out of the gate.

    You need to run it in monitor mode.. Look at what it shows as hits, weed out the false or noise because of your type of traffic and go from there.  It will require unending management to keep it running smooth..  Even so your going to to run into stuff that is blocked that might be legit traffic you want/need to allow.

    I wish there was a thumbs up button so I could thumbs this post up.


  • Banned

    @Soarin:

    I wish there was a thumbs up button so I could thumbs this post up.

    The button is called "Thank You". Top right corner of the post.


Log in to reply