3. (Snort) Question about false positives…

(Snort) Question about false positives…

  • S

    I am using snort 2.8.5.3 pkg v. 1.24 on pfsense 1.2.3-RELEASE (updating to 1.25 tonight)

    I don't understand how one tweaks snort in order to minimize false positives. We get a lot of DOS's on our production site and snort also often blocks legit traffic. I see a lot of ppl talking about the "suppress" tab, but I can't find a detailed "howto" anywhere. And does this just suppress the alerts or does it disable specific rules? Is it possible to "teach" snort about legit traffic? Somebody please point me in the right direction.

    I've searched the forums and have found minimal responses on this.

    Thanks,

    -Sean

    0
  • C

    Hi,

    You may try this.
    You have to give a filename and add entries for suppressing false positives like DOUBLE DECODING ATTACK, NON-RFC DEFINED CHAR… in Suppress Tab of Snort.

    suppress gen_id 119, sig_id 2
    suppress gen_id 119, sig_id 4
    suppress gen_id 119, sig_id 13
    suppress gen_id 119, sig_id 14

    You can find gen_id, sig_id in Alerts tab of snort.

    Then, in If settings (Interface Settings) tab, for Suppression and filtering setting you have to select the filename from drop down list. You have to do same for all interfaces. Then restart all interfaces.

    -chowtamah

    0
  • S

    Thank you! That's exactly what I needed to figure out.

    -Sean

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy