Snort - when to suppress?

MrGlasspoole

I find it always hard to find information when something should be suppressed/allowed.
I wonder how others do it?

I always look here and hope the list is save: https://forum.pfsense.org/index.php?topic=56267.0

But now i have this alerts and i don't know what to do with them:

(spp_sip) Content length mismatch
140:18

BROWSER-IE Microsoft Edge xlink type confusion memory corruption attempt
1:42210

PROTOCOL-SCADA Moxa discovery packet information disclosure attempt
1:42016

And just to make sure i get it right.
The word "suppress" is it bit confusing for my german head.
suppress = allow

It could also mean to just eliminate the alerts.

Velcro

Here is a good article that discusses when to suppress, I know you have to translate so here is a highlight from jflsakfja/bmeeks guide for tuning Snort:

Instructions on making the most of your shiny new IDS
Snort is designed to block pretty much anything you can think of. That's why there are many false positives. When I first started using snort, I was constantly banging my head on my desk because most sites would be blocked for (seemingly) no reason.
The CORRECT way to stop false positives is to disable the rules causing them, NOT using suppression lists. I may hear you ask "but all other places on the internet say use suppression lists, why shouldn't I?".
A little (simplified) info on how snort works will help you understand why.
Snort takes the packets and analyses them. Matches to the rules will be forwarded to alerts, then pfsense's plugin takes over and bans them. Suppression lists work just before the last step. They stop alerts from being produced. Disabling rules stops the "process" at the very beginning. Why analyze a packet if you are going to ignore it? This saves CPU processing which could be used for other purposes (eg enable more rules).
There are times when this will not work. Rules deep deep inside snort (preprocessor rules) have no way of being disabled (if I'm wrong about this, please correct me). That's where suppression lists become useful.

The article then goes on to discuss how to reasearch alerts…it might be dated but I think its still relevant:
https://forum.pfsense.org/index.php?topic=61018.0

MrGlasspoole

I must be doing something wrong when i read that people have so many alerts or i use the internet wrong ;D
I don't have many alerts and have only 14 in my suppress list.

Is it because i only have the free Snort VRT rules running as balanced?
I never changed anything in the interface setting like Preprocs (Host Attribute Table, Application ID Detection, Portscan Detection are disabled)
and Barnyard2 is also off.

I always thought this is already allot better for a home firewall then the consumer devices.

Edit:
I see they guy you quoted does also add stuff to a suppression list.
Whey that if he says it's better to disable the rules?
The rules are there in preprocessor.rules:

DOUBLE DECODING ATTACK
IIS UNICODE CODEPOINT ENCODING
NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

Velcro

MrGlasspoole,
I do not know enough about your configuration(Devices, network configuration), your needs(e.g. How secure do you want your network?), the hardware you have(e.g. Snort takes resources and suppression can take more CPU power)or how much time you want to spend managing your firewall. You need to balance usability with security…

An IDS/IPS takes time to tune and learn. It also takes resources which are limited.

I see a lot of alerts on my log with:
DOUBLE DECODING ATTACK
NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

I suppress, disable and periodically start over.

I think you want me to say it is OK to disable those rules and maybe make you feel better that your network is safe but I can't. Welcome to IPS!!

My advice is use Snort to monitor(IDS) at first and then change it to block(IPS). Take the time to understand your network...

1approach is:
Put untrusted IOT devices on a seperate interface(maybe disable Snort rules on this interface so you have a higher degree of functionality) and then have a strict interface for more secure devices(Suppress alerts with Snort on this interface so you have more security). Make sure the interfaces can't or are very limited in communication between themselves.

I would defer to the others on this forum to agree, rip my approach to threads or provide their best practices.

Good luck and yes pfSense is way better then consumer devices but it does require some know how...

MrGlasspoole

Sure i also have:
DOUBLE DECODING ATTACK
NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

After your suggestion i did disable it in preprocessor.rules.
I just wonder why the guy who says it's better to disable then to suppress, is suppressing them.

I have Snort now running since ~3 years. But i don't have that many alerts that i have so much to suppress like the others in the link you gave me.
That is what i wonder about…

Velcro

MrGlasspoole…just to be clear I do not recommend you disable those rules. If you are not getting many alerts "Suppress" might be a better route for you, assuming you have the available resources for your firewall to work harder.