A couple issues I'm having with snort



  • I have snort enabled on my WAN and LAN
    I the IPS Policy Selection set to security on both
    I left it generate alerts for a few days and then disabled the false positives by clicking the red X in the SID column.
    However the Alerts still kept coming from these disabled rules but now there is a yellow circle with an X in it which states "Rule is forced to a disabled state. Click to remove the force-disable action from this rule"
    so on the WAN alerts I clicked on the "Add this alert to the Suppress List"
    I thought that disabling the rule would stop the alerts for that rule. NO?
    So I did the same on the LAN side with disabling the rules but now I still get the alerts with that yellow circle with the X
    And I get an error if I try to add the alerts to the suppress list.

    The following input errors were detected:
    
    Suppress List 'lansuppress_5b5e0400b89b7' is defined for this interface, but it could not be found!
    

    If I go to Suppress List there is only one listed for WAN

    I had enabled blocking on the WAN interface and everything seemed to be fine. It was mostly generating alerts for port scans and Fragmentation overlap.

    But I ran into an issues. I have OpenVPN setup so I can access my network from my cell phone but snort is blocking access shortly after connection and the alert shows as a "(portscan) UDP Filtered Portscan"
    So I was wondering if anyone can help me with that one.



  • Anyone?



  • Turn off the Portscan preprocessor. It is highly prone to false positives without extensive tuning. You can do this under the PREPROCESSORS tab for the interface.

    I also recommend using the "Connectivity" policy for several months until you get quite familiar with how Snort behaves in your environment. "Security" is very restrictive and much more prone to false positives. The nature of your questions in your post indicate you are likely a novice with an IDS/IPS. Turning on maximum security at the start is a recipe for frustration.



  • Thanks for the reply. Trying to learn how to use new stuff like snort is not fun when you don't have people to ask "Hey am I doing this right" or "Why isn't this working?".



  • @techsanity said in A couple issues I'm having with snort:

    Thanks for the reply. Trying to learn how to use new stuff like snort is not fun when you don't have people to ask "Hey am I doing this right" or "Why isn't this working?".

    Go have a look at this thread here on the forum. It has a long discussion about false positives and suppress rules for them. There is a good summary in the very last post in that thread (which occurred 3 days ago).

    Also, while this thread is specifically about Suricata, there is good information in it that can be applied to Snort as well.

    Oh, and last thing I forgot to mention in my previous reply --
    to fix that error when clicking suppress on the ALERTS tab the best thing to do is delete all Suppress Lists, reset all Suppress Lists on interfaces to "default" and then start over. Here's how to do that.

    1. Go to the INTERFACES tab and edit each configured Snort interface. Scroll down to the Suppress List section and set the drop-down to "default". Save the change for each interface.

    2. Now go to the SUPPRESS tab and delete any lists shown there.

    What's happened is that at some point an automatically-generated Suppress List was created and assigned to your LAN interface, but then later that list got deleted. In Snort, it will let you delete an "assigned" Suppress List. But if you do, then you will get an error like you are seeing.



  • do you know how to fix this issue?

    Aug 17 16:32:18	snort	80652	AppInfo: AppId 4130 is UNKNOWN
    Aug 17 16:32:18	snort	80652	AppInfo: AppId 4130 is UNKNOWN
    Aug 17 16:32:18	snort	80652	AppInfo: AppId 4130 is UNKNOWN
    Aug 17 16:32:18	snort	80652	AppInfo: AppId 4130 is UNKNOWN
    Aug 17 16:32:18	snort	80652	AppInfo: AppId 4130 is UNKNOWN
    Aug 17 16:32:18	snort	80652	AppInfo: AppId 4130 is UNKNOWN
    Aug 17 16:32:18	snort	80652	AppInfo: AppId 4130 is UNKNOWN
    Aug 17 16:32:18	snort	80652	AppInfo: AppId 4130 is UNKNOWN
    Aug 17 16:32:18	snort	80652	AppInfo: AppId 4130 is UNKNOWN
    Aug 17 16:32:18	snort	80652	AppInfo: AppId 4385 is UNKNOWN
    Aug 17 16:32:18	snort	80652	AppInfo: AppId 4387 is UNKNOWN
    Aug 17 16:32:18	snort	80652	AppInfo: AppId 4109 is UNKNOWN
    Aug 17 16:32:18	snort	80652	AppInfo: AppId 4043 is UNKNOWN
    Aug 17 16:50:00	snort	46475	invalid appid in appStatRecord (4385)
    Aug 17 16:50:02	snort	83434	invalid appid in appStatRecord (4385)
    Aug 17 17:20:02	snort	83434	invalid appid in appStatRecord (742)
    Aug 17 17:20:02	snort	46475	invalid appid in appStatRecord (4385)
    Aug 17 17:20:02	snort	46475	invalid appid in appStatRecord (742)
    Aug 17 17:25:02	snort	46475	invalid appid in appStatRecord (742)
    Aug 17 17:25:02	snort	46475	invalid appid in appStatRecord (742)
    Aug 17 17:25:03	snort	83434	invalid appid in appStatRecord (742)
    Aug 17 17:25:03	snort	83434	invalid appid in appStatRecord (742)
    Aug 17 17:30:02	snort	46475	invalid appid in appStatRecord (742)
    Aug 17 17:30:03	snort	83434	invalid appid in appStatRecord (742)
    Aug 17 17:40:04	snort	83434	invalid appid in appStatRecord (742)
    Aug 17 17:40:04	snort	46475	invalid appid in appStatRecord (742)
    Aug 17 17:45:00	snort	46475	invalid appid in appStatRecord (742)
    Aug 17 17:45:00	snort	46475	invalid appid in appStatRecord (742)
    Aug 17 17:45:00	snort	83434	invalid appid in appStatRecord (742)
    Aug 17 17:45:00	snort	83434	invalid appid in appStatRecord (742)
    

    should I just re-install snort and start over?



  • Those messages are somewhat common. The AppId values will vary. The messages mean a rule is referencing an AppID code that is not defined. I've been seeing these messages ever since Snort released AppID to the public domain. They won't stop Snort from running.

    Be aware that AppID is extremely noisy and will overwhelm your logs on a busy network. It will bury other traffic in a lot of useless noise. AppID might have its place in a tap monitor setup, but I would never enable it on a firewall with Snort configured for blocking. Doing so will basically immediately kill your network. The only exception would be if you only enabled a very tiny handful of OpenAppID rules.