Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    (Snort) Question about false positives…

    Scheduled Pinned Locked Moved pfSense Packages
    3 Posts 2 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      seanlee
      last edited by

      I am using snort 2.8.5.3 pkg v. 1.24 on pfsense 1.2.3-RELEASE (updating to 1.25 tonight)

      I don't understand how one tweaks snort in order to minimize false positives. We get a lot of DOS's on our production site and snort also often blocks legit traffic. I see a lot of ppl talking about the "suppress" tab, but I can't find a detailed "howto" anywhere. And does this just suppress the alerts or does it disable specific rules? Is it possible to "teach" snort about legit traffic? Somebody please point me in the right direction.

      I've searched the forums and have found minimal responses on this.

      Thanks,

      -Sean

      1 Reply Last reply Reply Quote 0
      • C
        chowtamah
        last edited by

        Hi,

        You may try this.
        You have to give a filename and add entries for suppressing false positives like DOUBLE DECODING ATTACK, NON-RFC DEFINED CHAR… in Suppress Tab of Snort.

        suppress gen_id 119, sig_id 2
        suppress gen_id 119, sig_id 4
        suppress gen_id 119, sig_id 13
        suppress gen_id 119, sig_id 14

        You can find gen_id, sig_id in Alerts tab of snort.

        Then, in If settings (Interface Settings) tab, for Suppression and filtering setting you have to select the filename from drop down list. You have to do same for all interfaces. Then restart all interfaces.

        -chowtamah

        2.0.2-RELEASE (amd64)  &  2.2.2-RELEASE (amd64)

        Always trying to learn!!

        1 Reply Last reply Reply Quote 0
        • S
          seanlee
          last edited by

          Thank you! That's exactly what I needed to figure out.

          -Sean

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.