Recommended Snort rules to change from "Alert" to "Block"?

Enso_

Now that I have Snort up and running without any issues, are there any rules you recommend changing from Alert to Block? I’ve noticed that most rules triggered during tests or actual events only generate alerts and don’t block, even though I have the Automatically Block setting enabled. Is there a resource or guideline on which rules should be set to Block, in addition to those that are already blocked by default?

I’m aware this depends on the specific environment, but I’m hoping there are some general guidelines available.

Thank you!

bmeeks

You can't do this in Snort unless you are using the Inline IPS Mode with netmap.

Since you asked the question, I'm assuming you must be using Inline IPS Mode. With Legacy Blocking Mode, all alerts result in "blocks" unless the offending IP is covered by a Pass List entry. With Inline IPS Mode, only rules whose action keyword is changed to DROP will actually block traffic.

For a beginner IPS admin using Snort, I recommend you choose the option on the CATEGORIES tab to use an IPS Policy and set that policy to "Connectivity". That is a good starter policy that will not generate a ton of false positives. It will automatically set some rules to ALERT and others to DROP based on the internal IPS policy metadata coded into each rule by the Snort VRT (vunerability research team).

It is also good practice to first run in IDS-only mode (meaning do not enable blocking on the INTERFACE SETTINS tab) for a few weeks to get a feel for what kind of traffic is flowing on your network and what, if any, false positives might occur. You can tune the rules if necessary during this period by disabling or suppressing particular SIDs (signature IDs) on the ALERTS tab. You also need to regularly check the ALERTS tab during this period to see what's been logged.

Once you feel comfortable with the setup, you can enable blocking and still keep an eye on things by regularly checking the ALERTS tab.

As you enable more rules (such as selecting Emerging Threats rules, for example) or try to move to a more stringent IPS Policy (like "Balanced"), you can expect to see more false positives depending on the particular normal traffic on your network. The "Security" IPS Policy is sure to generate a number of nuisance blocks, so I never recommend it unless you are protecting a network containing the nuclear missle launch codes or something . And never enable the "Max Protect" policy as the Snort VRT explicitly says that one is for extreme testing only. It will most surely nearly cripple regular traffic flow.

Enso_

I'm using Legacy Mode. I checked other pfSense boxes with the same or similar Snort setups, and you’re correct—on those systems, Snort automatically blocks all alerts in Legacy Mode. However, on this one, it doesn’t.

Settings:

Use IPS Policy: **Enabled**
IPS Policy: **Balanced**
“Automatically block hosts that generate a Snort alert”: **Enabled**
Mode: **Legacy Mode**
Pass List: **None**
Alerts: **230**
Blocked: **None (empty)**

I’ve updated the rules and restarted the Snort interface, but the behavior remains the same.

Does anyone know why this particular instance isn’t blocking anything in Legacy Mode, even with the auto block option enabled?