Snort
-
Hello all new to all this but I installed snort got my oink code...things are running right? How-ever now I don't know what should or should not be blocked I see alerts one of which is ((http_inspect no content-length or transfer-encoding in http response) Don't know if this is an issue and if so how do I block it. I did not set up to block anything because I am sadly ignorant as to what I should block...can anyone help me?
-
Your best bet is to look at what devices are triggering rules, don't enable blocking to start off with just alert then suck the alerts into a spreadsheet and look at the stats.
They are disabled here:-
FWIW I've disabled these:-
HI_CLIENT_DOUBLE_DECODE
HI_CLIENT_BARE_BYTE
HI_CLIENT_IIS_UNICODE
HI_CLIENT_UNKNOWN_METHOD
HI_CLIENT_SIMPLE_REQUEST
HI_CLIENT_UNESCAPED_SPACE_IN_URI
HI_SERVER_NO_CONTLEN
HI_CLISRV_MSG_SIZE_EXCEPTIONSSL_INVALID_CLIENT_HELLO
SSL_INVALID_SERVER_HELLOSIP_EVENT_AUTH_INVITE_REPLAY_ATTACK
SIP_EVENT_MAX_DIALOGS_IN_A_SESSION -
Hmmm I must have done something wrong in my setup...I a running this on my Wan side yours appears to be on your lan side.
-
I run it on both.
If you have a host on your LAN causing issues you actually see the ip address of the host rather than the WAN ip address post nat.
-
Thanks I see...I actually have it running on my WAN side not my LAN. I'll set it up on my LAN side. Currently have the IPS policy set to security on the WAN side and just turned on blocking to see if it actually breaks my network. Don't think it's the best way to go about this but then I can open things up as they pop up.
