A couple issues I'm having with snort



  • I have snort enabled on my WAN and LAN
    I the IPS Policy Selection set to security on both
    I left it generate alerts for a few days and then disabled the false positives by clicking the red X in the SID column.
    However the Alerts still kept coming from these disabled rules but now there is a yellow circle with an X in it which states "Rule is forced to a disabled state. Click to remove the force-disable action from this rule"
    so on the WAN alerts I clicked on the "Add this alert to the Suppress List"
    I thought that disabling the rule would stop the alerts for that rule. NO?
    So I did the same on the LAN side with disabling the rules but now I still get the alerts with that yellow circle with the X
    And I get an error if I try to add the alerts to the suppress list.

    The following input errors were detected:
    
    Suppress List 'lansuppress_5b5e0400b89b7' is defined for this interface, but it could not be found!
    

    If I go to Suppress List there is only one listed for WAN

    I had enabled blocking on the WAN interface and everything seemed to be fine. It was mostly generating alerts for port scans and Fragmentation overlap.

    But I ran into an issues. I have OpenVPN setup so I can access my network from my cell phone but snort is blocking access shortly after connection and the alert shows as a "(portscan) UDP Filtered Portscan"
    So I was wondering if anyone can help me with that one.



  • Anyone?



  • Turn off the Portscan preprocessor. It is highly prone to false positives without extensive tuning. You can do this under the PREPROCESSORS tab for the interface.

    I also recommend using the "Connectivity" policy for several months until you get quite familiar with how Snort behaves in your environment. "Security" is very restrictive and much more prone to false positives. The nature of your questions in your post indicate you are likely a novice with an IDS/IPS. Turning on maximum security at the start is a recipe for frustration.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy