Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suppression list for Webservers - Snort

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 923 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      laxal64243
      last edited by

      Hi Guys,

      Anyone have a suppression lists/whitelist for a shop that mostly cater webservices or webservers?

      I've been constantly getting the following not sure if some of these are still consider false positive

      (http_inspect) BARE BYTE UNICODE ENCODING
      (http_inspect) UNESCAPED SPACE IN HTTP URI

      This one, majority of the IP are abusive as per abusiveipdb.com so I believe this is legit:
      (http_inspect) PROTOCOL-OTHER HTTP server response before client request

      Appreciate your response!

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        Several of the HTTP_INSPECT rules in Snort will false positive these days. It mostly is caused by the way websites use all the JavaScripting stuff to serve up ads (and, to some extent, to attempt evasion of ad blockers on clients). Nothing necessarily "nefarious" in most cases, but it does violate RFC standards for such things and thus the rules will alert.

        Most of us just disable those HTTP_INSPECT rules that fire frequently on known good websites. The first two alerts you listed in your post are the most frequently "disabled" rules for most of us. Just click the red X next to the GID:SID on the ALERTS tab and the rule will be disabled.

        Here is a very long thread with discussions about false-positive prone rules and the various suppress lists and rule disables some users have in their configurations.

        https://forum.netgate.com/topic/50708/suricata-snort-master-sid-disablesid-conf.

        1 Reply Last reply Reply Quote 0
        • L
          laxal64243
          last edited by

          Thanks mate

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.