Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need help with snort block rules

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 2 Posters 550 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Michael9876
      last edited by Michael9876

      Hello.

      I'm not familiar with Snort yet and need help with some settings to understand them.

      My current settings:

      Snort Interfaces=> LAN Settings=> Block Settings:
      Block Offenders - enabled
      IPS Mode - Inline Mode

      LAN Categories:
      Use IPS Policy - enabled
      IPS Policy Selection - Security
      IPS Policy Mode - Policy
      Ruleset: Snort OPENAPPI Rules - all enabled

      LAN Preprocs:
      Application ID Detection - enabled
      AppID Stats Logging - enabled

      SID Mgmt:
      Enable Automatic SID State Management - enabled

      I plan to block everything and allow only certain applications to access the Internet.

      To my questions:
      Is this even possible?
      Are my settings set correctly or what do I have to change?

      Edit:
      I use pfSense 2.5.0-DEVELOPMENT.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        You are setting yourself up for a lot of irritation by using the "Security" IPS Policy. That policy is very stringent and highly likely to generate many false positives in most networks without tuning by the security admin. That means you are likely to get things blocked that you need to work and that are in all probability not malicious.

        New IDS/IPS admins should always first run the system in non-blocking mode for at least a couple of weeks to get a feel for the number and type of alerts generated in their network. The admin needs to keep a constant eye on the ALERTS tab and research the alerts seen there using Google and any other tools at their disposal. Rules that are generating known false-positives should be either disabled or suppressed (disabled is usually better as then the rule does not consume CPU time or memory space).

        After watching the ALERTS tab for a some period of time and tuning the enabled rules, things will generally go much better when blocking is then enabled.

        The IPS Security Policy "Connectivity" is perfectly acceptable as a starter policy, and is what I highly recommend you switch to. After several months of running the IDS/IPS and getting your rules "tuned", you can consider upping to "Balanced". There is almost never a good reason in my view to use "Security" unless you are willing to watch and fiddle with the IDS/IPS every hour of every day (or darn near that much attention) on a busy network.

        And in terms of SID MGMT, unless you create your own custom conf files for enabling, disabling or modifying SIDs, then enabling that option does zero.

        Planning to "block everything and only allow certain applications to access the Internet" is also a recipe for a giant headache. That is not how most folks generally set things up. Mostly because getting all the ports and protocols correctly aligned for all the applications out there is a very tall order.

        1 Reply Last reply Reply Quote 1
        • M
          Michael9876
          last edited by

          Thanks for the detailed answer @bmeeks.

          So in my case as a beginner:

          1. activate the IPS security policy "Connectivity"
          2. disable SID MGMT
          After several months of running the IDS/IPS and getting your rules "tuned", you can consider upping to "Balanced".
          

          Watching the ALERTS tab for a while is no problem.

          What should I understand by "tune" rules, what are the possibilities?

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @Michael9876
            last edited by

            @Michael9876 said in Need help with snort block rules:

            Thanks for the detailed answer @bmeeks.

            So in my case as a beginner:
            What should I understand by "tune" rules, what are the possibilities?

            Some rules will likely need to be disabled. It is quite common for a number of the HTTP_INSPECT preprocessor rules to false-positive with today's web technology and the widespread use of HTTPS. This link contains a long thread with input from a number of experienced IDS/IPS admins. It is a great place to start learing about "tuning" your IDS/IPS --

            https://forum.netgate.com/topic/50708/suricata-snort-master-sid-disablesid-conf

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.