Suppression list for Webservers - Snort
-
Hi Guys,
Anyone have a suppression lists/whitelist for a shop that mostly cater webservices or webservers?
I've been constantly getting the following not sure if some of these are still consider false positive
(http_inspect) BARE BYTE UNICODE ENCODING
(http_inspect) UNESCAPED SPACE IN HTTP URIThis one, majority of the IP are abusive as per abusiveipdb.com so I believe this is legit:
(http_inspect) PROTOCOL-OTHER HTTP server response before client requestAppreciate your response!
-
Several of the HTTP_INSPECT rules in Snort will false positive these days. It mostly is caused by the way websites use all the JavaScripting stuff to serve up ads (and, to some extent, to attempt evasion of ad blockers on clients). Nothing necessarily "nefarious" in most cases, but it does violate RFC standards for such things and thus the rules will alert.
Most of us just disable those HTTP_INSPECT rules that fire frequently on known good websites. The first two alerts you listed in your post are the most frequently "disabled" rules for most of us. Just click the red X next to the GID:SID on the ALERTS tab and the rule will be disabled.
Here is a very long thread with discussions about false-positive prone rules and the various suppress lists and rule disables some users have in their configurations.
https://forum.netgate.com/topic/50708/suricata-snort-master-sid-disablesid-conf.
-
Thanks mate