Noob: Practical guide to implementing Snort in a home network
-
What is a practical approach to implementing and tuning Snort in a home network environment?
Lots of posts suggest to put into Alert only mode (no blocking), enable a rule policy (like Balanced) and then review the alerts and supress the false positives. I understand this in theory but in practice I can't figure it out. How do you actually review these alerts and make an informed decision if it's ok to supress or delete the rule? And if so many of these rules can be supressed or deleted, why are they in the rule set to begin with? Why does the Snort VRT include them as part of a "Balanced" policy set?
For each rule I look at the explanation of the rule as best I can and I can't really gauge whether it's really a threat. Then I find that most of the offending IP addresses either can't be resolved or trace back to akamai or AWS or some other CDN which doesn't really tell you much about the source or destination of the potential threat.
Do people just supress the rules to turn down the noise and hope for the best?
When people post these lists of supressed rules, how do you know that was a smart move? What if they just opened up threat vectors?
Or, is this just how it is?
Thanks!
After a few days, here is what I've supressed from the LAN side:
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 3#(http_inspect) BARE BYTE UNICODE ENCODING
suppress gen_id 119, sig_id 4#(http_inspect) UNESCAPED SPACE IN HTTP URI
suppress gen_id 119, sig_id 33#(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
suppress gen_id 120, sig_id 8#(spp_ssl) Invalid Client HELLO after Server HELLO Detected
suppress gen_id 137, sig_id 1#(http_inspect) UNKNOWN METHOD
suppress gen_id 119, sig_id 31#(http_inspect) IIS UNICODE CODEPOINT ENCODING
suppress gen_id 119, sig_id 7#(http_inspect) DOUBLE DECODING ATTACK
suppress gen_id 119, sig_id 2#(http_inspect) JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED
suppress gen_id 120, sig_id 10 -
I'd also be interested in a "SNORT for Dummies" guide. I have tons of alerts but I have no idea if I should concerned or if they are all false positive
-
I'm not sure how well it applies anymore as pfBlocker has changed significantly. But this was the "cookbook" from Demetrius I used when I was getting started with Snort. He sorta jumps into the deep end but if you follow the thread there is some good setup info within.
https://forum.pfsense.org/index.php?topic=64674.msg350652#msg350652
-
I came across this video recently and it was very good and might help.
https://youtu.be/KRlbkG9Bh6I
Good Luck.
-
Through trial and error, I decided the best way is to set the filtering on high and expect to investigate false positives for a few weeks.
Snort enables you to easily allow exceptions at a granular level directly from the alerts page. Anything with a '1' is suspicious. If it involves port 80 and, for example comes from Google or Akamai, it's probably OK and you can put it through there. But look into it a little first. I have found the need to suppress full rules not needed as badly with this approach.