Need help with snort block rules


  • Hello.

    I'm not familiar with Snort yet and need help with some settings to understand them.

    My current settings:

    Snort Interfaces=> LAN Settings=> Block Settings:
    Block Offenders - enabled
    IPS Mode - Inline Mode

    LAN Categories:
    Use IPS Policy - enabled
    IPS Policy Selection - Security
    IPS Policy Mode - Policy
    Ruleset: Snort OPENAPPI Rules - all enabled

    LAN Preprocs:
    Application ID Detection - enabled
    AppID Stats Logging - enabled

    SID Mgmt:
    Enable Automatic SID State Management - enabled

    I plan to block everything and allow only certain applications to access the Internet.

    To my questions:
    Is this even possible?
    Are my settings set correctly or what do I have to change?

    Edit:
    I use pfSense 2.5.0-DEVELOPMENT.


  • You are setting yourself up for a lot of irritation by using the "Security" IPS Policy. That policy is very stringent and highly likely to generate many false positives in most networks without tuning by the security admin. That means you are likely to get things blocked that you need to work and that are in all probability not malicious.

    New IDS/IPS admins should always first run the system in non-blocking mode for at least a couple of weeks to get a feel for the number and type of alerts generated in their network. The admin needs to keep a constant eye on the ALERTS tab and research the alerts seen there using Google and any other tools at their disposal. Rules that are generating known false-positives should be either disabled or suppressed (disabled is usually better as then the rule does not consume CPU time or memory space).

    After watching the ALERTS tab for a some period of time and tuning the enabled rules, things will generally go much better when blocking is then enabled.

    The IPS Security Policy "Connectivity" is perfectly acceptable as a starter policy, and is what I highly recommend you switch to. After several months of running the IDS/IPS and getting your rules "tuned", you can consider upping to "Balanced". There is almost never a good reason in my view to use "Security" unless you are willing to watch and fiddle with the IDS/IPS every hour of every day (or darn near that much attention) on a busy network.

    And in terms of SID MGMT, unless you create your own custom conf files for enabling, disabling or modifying SIDs, then enabling that option does zero.

    Planning to "block everything and only allow certain applications to access the Internet" is also a recipe for a giant headache. That is not how most folks generally set things up. Mostly because getting all the ports and protocols correctly aligned for all the applications out there is a very tall order.


  • Thanks for the detailed answer @bmeeks.

    So in my case as a beginner:

    1. activate the IPS security policy "Connectivity"
    2. disable SID MGMT
    After several months of running the IDS/IPS and getting your rules "tuned", you can consider upping to "Balanced".
    

    Watching the ALERTS tab for a while is no problem.

    What should I understand by "tune" rules, what are the possibilities?


  • @Michael9876 said in Need help with snort block rules:

    Thanks for the detailed answer @bmeeks.

    So in my case as a beginner:
    What should I understand by "tune" rules, what are the possibilities?

    Some rules will likely need to be disabled. It is quite common for a number of the HTTP_INSPECT preprocessor rules to false-positive with today's web technology and the widespread use of HTTPS. This link contains a long thread with input from a number of experienced IDS/IPS admins. It is a great place to start learing about "tuning" your IDS/IPS --

    https://forum.netgate.com/topic/50708/suricata-snort-master-sid-disablesid-conf