(Snort) Question about false positives…



  • I am using snort 2.8.5.3 pkg v. 1.24 on pfsense 1.2.3-RELEASE (updating to 1.25 tonight)

    I don't understand how one tweaks snort in order to minimize false positives. We get a lot of DOS's on our production site and snort also often blocks legit traffic. I see a lot of ppl talking about the "suppress" tab, but I can't find a detailed "howto" anywhere. And does this just suppress the alerts or does it disable specific rules? Is it possible to "teach" snort about legit traffic? Somebody please point me in the right direction.

    I've searched the forums and have found minimal responses on this.

    Thanks,

    -Sean



  • Hi,

    You may try this.
    You have to give a filename and add entries for suppressing false positives like DOUBLE DECODING ATTACK, NON-RFC DEFINED CHAR… in Suppress Tab of Snort.

    suppress gen_id 119, sig_id 2
    suppress gen_id 119, sig_id 4
    suppress gen_id 119, sig_id 13
    suppress gen_id 119, sig_id 14

    You can find gen_id, sig_id in Alerts tab of snort.

    Then, in If settings (Interface Settings) tab, for Suppression and filtering setting you have to select the filename from drop down list. You have to do same for all interfaces. Then restart all interfaces.

    -chowtamah



  • Thank you! That's exactly what I needed to figure out.

    -Sean


Log in to reply