• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Quick Snort Setup Instructions for New Users

IDS/IPS
46
147
253.6k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    darrenkdean
    last edited by Mar 7, 2015, 7:37 PM

    Excellent, thank you both!  I went back & changed the settings per your guidance & the telephone service is now working.  Can't thank you enough for your help!  Alerts are still being generated, but no longer blocked.  Is there any reason why I would not want to suppress these alerts?

    Best-

    Darren

    1 Reply Last reply Reply Quote 0
    • B
      bmeeks
      last edited by Mar 8, 2015, 1:31 AM

      @darrenkdean:

      Excellent, thank you both!  I went back & changed the settings per your guidance & the telephone service is now working.  Can't thank you enough for your help!  Alerts are still being generated, but no longer blocked.  Is there any reason why I would not want to suppress these alerts?

      Best-

      Darren

      You can suppress them if you wish, but depending on how you do it you may expose yourself to a real attack (as opposed to the false positive you are likely seeing now).  Here is what I would do:

      You know the IP address in question (your phone system), so create a suppress list rule by IP address.  The easiest way to accomplish this is on the ALERTS tab.  Click the plus (+) icon beside the IP address you don't want to block on one of the alert rows.  This will create a suppress list entry of type "track by IP".  It will be either source (SRC) or destination (DST) depending on which address column you clicked.  The entry will be for that specific IP.  If you want to suppress by an IP block instead, then after creating the entry as described previously, go to the SUPPRESS LIST tab, find the newly created list and edit it.  Change the IP address to a CIDR block.

      Bill

      1 Reply Last reply Reply Quote 0
      • D
        darrenkdean
        last edited by Mar 13, 2015, 5:03 PM

        Good Afternoon,

        I have configured Snort according to the guide & everything works great on the WAN.  I have created a LAN Interface & mirrored the rules for both.  When I go to start Snort on the LAN, I am getting the following error:

        snort[93176]: server /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/service_EIP.lua: error validating …snort-amd64/etc/snort/appid//odp/libs/DetectorCommon.lua:318: table index is nil

        I have searched for documentation on this, but have been unable to find out what it is &/or why Snort will not start on the LAN interface.  Any guidance or suggestions would be greatly appreciated.

        Best-

        Darren

        1 Reply Last reply Reply Quote 0
        • M
          Mr. Jingles
          last edited by Mar 13, 2015, 5:25 PM

          @darrenkdean:

          Good Afternoon,

          I have configured Snort according to the guide & everything works great on the WAN.  I have created a LAN Interface & mirrored the rules for both.  When I go to start Snort on the LAN, I am getting the following error:

          snort[93176]: server /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/service_EIP.lua: error validating …snort-amd64/etc/snort/appid//odp/libs/DetectorCommon.lua:318: table index is nil

          I have searched for documentation on this, but have been unable to find out what it is &/or why Snort will not start on the LAN interface.  Any guidance or suggestions would be greatly appreciated.

          Best-

          Darren

          Confirmed. My system log is filled with this too:

          snort[4022]: server /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/service_EIP.lua: error validating ...snort-amd64/etc/snort/appid//odp/libs/DetectorCommon.lua:318: table index is nil
          

          Snort starts on all interfaces 'though, yet it is cluttering up the logs with this constantly repeating message.

          pfSense 2.1.5 X64, Snort 2.9.7.0 pkg 3.2.3

          6 and a half billion people know that they are stupid, agressive, lower life forms.

          1 Reply Last reply Reply Quote 0
          • B
            bmeeks
            last edited by Mar 13, 2015, 9:44 PM

            @darrenkdean:

            Good Afternoon,

            I have configured Snort according to the guide & everything works great on the WAN.  I have created a LAN Interface & mirrored the rules for both.  When I go to start Snort on the LAN, I am getting the following error:

            snort[93176]: server /usr/pbi/snort-amd64/etc/snort/appid//odp/lua/service_EIP.lua: error validating …snort-amd64/etc/snort/appid//odp/libs/DetectorCommon.lua:318: table index is nil

            I have searched for documentation on this, but have been unable to find out what it is &/or why Snort will not start on the LAN interface.  Any guidance or suggestions would be greatly appreciated.

            Best-

            Darren

            It would be better if you start a new thread in the IDS/IPS sub-forum.  This thread was designed to contain just the how-to instructions.

            The answer to your problem is also posted in a previous thread here: https://forum.pfsense.org/index.php?topic=89393.msg495651#msg495651, but I will repeat it here.  This is a known syntax error in the OpenAppID rules package from the Snort VRT.  They committed to fix it in a mailing list post about two weeks ago.  It appears they have not yet.  You can disable the OpenAppID preprocessor to make the error go away.  Unless you have also written your own custom rules to use the OpenAppID signatures, they aren't working anyway.

            Bill

            1 Reply Last reply Reply Quote 0
            • T
              tty0
              last edited by Dec 27, 2015, 7:34 PM

              Very simple guide bmeeks, thank you for taking the time to explain this to us new users. Followed another guide and I kept having snort ban websites I was visiting.

              1 Reply Last reply Reply Quote 0
              • 2
                2chemlud Banned
                last edited by Feb 13, 2016, 4:17 PM

                Hi!

                How about adding a little bit of info specific to nano users running snort? ;-)

                Maybe somethink like this:

                https://forum.pfsense.org/index.php?topic=106725.msg594731#msg594731

                Regards

                chemlud

                1 Reply Last reply Reply Quote 0
                • A
                  AR15USR
                  last edited by Apr 23, 2016, 3:33 AM

                  Hi bmeeks/jflsakfja,

                  This post was originally done a few years ago, how valid is the setup in post 1 and the rule configuration in post 3 these days?


                  2.6.0-RELEASE

                  1 Reply Last reply Reply Quote 0
                  • T
                    THS
                    last edited by May 1, 2016, 5:21 AM May 1, 2016, 5:13 AM

                    Hey. Thanks for this useful post.
                    Btw this list is 3 years old. Is it still (mostly) up to date ?

                    Also I have a few repeating alerts I can't figure out. Can you help ?

                    1:2018959.  ET POLICY PE EXE or DLL Windows file download HTTP
                    1:28039.    INDICATOR-COMPROMISE Suspicious .pw dns query
                    119:33.  (http_inspect) UNESCAPED SPACE IN HTTP URI

                    Thanks !

                    @jflsakfja:

                    The Missing Part to Quick Snort Setup Instructions for New Users

                    In tab "Rules", under "Category" select:
                    (–- means blank table at time of writing)

                    DONE > emerging-activex > all

                    DONE > emerging-attack_responses > all

                    DONE > emerging-botcc > all

                    DONE > emerging-chat > all except:
                    2010784 ET CHAT Facebook Chat (send message)
                    2010785 ET CHAT Facebook Chat (buddy list)
                    2010786 ET CHAT Facebook Chat (settings)
                    2010819 ET CHAT Facebook Chat using XMPP
                    2002327 ET CHAT Google Talk (Jabber) Client Login
                    2002334 ET CHAT Google IM traffic Jabber client sign-on
                    2001241 ET CHAT MSN file transfer request
                    2001242 ET CHAT MSN file transfer accept
                    2001243 ET CHAT MSN file transfer reject
                    2001682 ET CHAT MSN IM Poll via HTTP
                    2002192 ET CHAT MSN status change
                    2008289 ET CHAT Possible MSN Messenger File Transfer
                    2009375 ET CHAT General MSN Chat Activity
                    2009376 ET CHAT MSN User-Agent Activity

                    DONE > emerging-ciarmy > all

                    DONE > emerging-compromised > all

                    DONE > emerging-current_events > all

                    DONE > emerging-deleted > ---

                    DONE > emerging-dns > all except:
                    2008446 ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10
                    seconds) - possible Cache Poisoning Attempt
                    2008470 ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups
                    2001117 ET DNS Standard query response, Name Error

                    DONE > emerging-dos > all

                    DONE > emerging-drop > all

                    DONE > emerging-dshield > all

                    DONE > emerging-exploit > all except:
                    2001058 ET EXPLOIT libpng tRNS overflow attempt
                    2002913 ET EXPLOIT VNC Client response
                    2002914 ET EXPLOIT VNC Server VNC Auth Offer
                    2002919 ET EXPLOIT VNC Good Authentication Reply
                    2002915 ET EXPLOIT VNC Authentication Reply
                    2002758 ET EXPLOIT WMF Escape Record Exploit - Version 1
                    2002742 ET EXPLOIT WMF Escape Record Exploit - Version 3

                    DONE > emerging-ftp > all

                    DONE > emerging-games > all

                    DONE > emerging-icmp > ---

                    DONE > emerging-icmp_info > ---

                    DONE > emerging-imap > ---

                    DONE > emerging-inappropriate > all except:
                    2002925 ET INAPPROPRIATE Google Image Search, Safe Mode Off
                    2001608 ET INAPPROPRIATE Likely Porn

                    DONE > emerging-info > all except:
                    2014472 ET INFO JAVA - Java Archive Download
                    2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
                    2014819 ET INFO Packed Executable Download
                    2015016 ET INFO FTP STOR to External Network
                    2015561 ET INFO PDF Using CCITTFax Filter
                    2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
                    2016360 ET INFO JAVA - ClassID
                    2016361 ET INFO JAVA - ClassID
                    2016404 ET INFO MPEG Download Over HTTP (1)

                    DONE > emerging-malware > all except:
                    2008438 ET MALWARE Possible Windows executable sent when remote host claims to send a Text File

                    DONE > emerging-misc > all

                    DONE > emerging-mobile_malware > all except:
                    2012251 ET MOBILE_MALWARE Google Android Device HTTP Request
                    2012848 ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URI

                    DONE > emerging-netbios > all

                    DONE > emerging-p2p > all except:
                    2000369 ET P2P BitTorrent Announce
                    2007727 ET P2P possible torrent download
                    2008581 ET P2P BitTorrent DHT ping request
                    2008583 ET P2P BitTorrent DHT nodes reply
                    2008585 ET P2P BitTorrent DHT announce_peers request
                    2010144 ET P2P Vuze BT UDP Connection (5)
                    2011699 ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x)

                    *emerging-policy > all except:
                    2000419 ET POLICY PE EXE or DLL Windows file download
                    2000428 ET POLICY ZIP file download
                    2001115 ET POLICY MSI (microsoft installer file) download
                    2003595 ET POLICY exe download via HTTP - Informational
                    2001898 ET POLICY eBay Bid Placed
                    2001907 ET POLICY eBay Placing Item for sale
                    2001908 ET POLICY eBay View Item
                    2001909 ET POLICY eBay Watch This Item
                    2003303 ET POLICY FTP Login Attempt (non-anonymous)
                    2003410 ET POLICY FTP Login Successful
                    2003121 ET POLICY docs.google.com Activity
                    2003597 ET POLICY Google Calendar in Use
                    2002801 ET POLICY Google Desktop User-Agent Detected
                    2002838 ET POLICY Google Search Appliance browsing the Internet
                    2000035 ET POLICY Hotmail Inbox Access
                    2000036 ET POLICY Hotmail Message Access
                    2000037 ET POLICY Hotmail Compose Message Access
                    2000038 ET POLICY Hotmail Compose Message Submit
                    2000039 ET POLICY Hotmail Compose Message Submit Data
                    2008238 ET POLICY Hotmail Inbox Access
                    2008239 ET POLICY Hotmail Message Access
                    2008240 ET POLICY Hotmail Compose Message Access
                    2008242 ET POLICY Hotmail Access Full Mode
                    2006408 ET POLICY HTTP Request on Unusual Port Possibly Hostile
                    2006409 ET POLICY HTTP POST on unusual Port Possibly Hostile
                    2002330 ET POLICY Google Talk TLS Client Traffic
                    2002332 ET POLICY Google IM traffic Windows client user sign-on
                    2002333 ET POLICY Google IM traffic friend invited
                    2002878 ET POLICY iTunes User Agent
                    2002722 ET POLICY MP3 File Transfer Outbound
                    2002723 ET POLICY MP3 File Transfer Inbound
                    2001114 ET POLICY Mozilla XPI install files download
                    2001973 ET POLICY SSH Server Banner Detected on Expected Port
                    2001974 ET POLICY SSH Client Banner Detected on Expected Port
                    2001975 ET POLICY SSHv2 Server KEX Detected on Expected Port
                    2001976 ET POLICY SSHv2 Client KEX Detected on Expected Port
                    2001977 ET POLICY SSHv2 Client New Keys detected on Expected Port
                    2001978 ET POLICY SSH session in progress on Expected Port
                    2001979 ET POLICY SSH Server Banner Detected on Unusual Port
                    2001980 ET POLICY SSH Client Banner Detected on Unusual Port
                    2001981 ET POLICY SSHv2 Server KEX Detected on Unusual Port
                    2001982 ET POLICY SSHv2 Client KEX Detected on Unusual Port
                    2001983 ET POLICY SSHv2 Client New Keys Detected on Unusual Port
                    2001984 ET POLICY SSH session in progress on Unusual Port
                    2013031 ET POLICY Python-urllib/ Suspicious User Agent
                    2013414 ET POLICY Executable served from Amazon S3
                    2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
                    2012647 ET POLICY Dropbox.com Offsite File Backup in Use
                    2012648 ET POLICY Dropbox Client Broadcasting
                    2014313 ET POLICY Executable Download From DropBox

                    DONE > emerging-pop3 > ---

                    DONE > emerging-rbn-malvertisers > all

                    DONE > emerging-rbn > all

                    DONE > emerging-rpc > ---

                    DONE > emerging-scada > all

                    DONE > emerging-scan > all except
                    2002992 ET SCAN Rapid POP3 Connections - Possible Brute Force Attack
                    2002993 ET SCAN Rapid POP3S Connections - Possible Brute Force Attack
                    2002994 ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
                    2002995 ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack

                    DONE > emerging-shellcode > all except
                    2011803 ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
                    2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
                    2012257 ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String
                    2012510 ET SHELLCODE UTF-8/16 Encoded Shellcode
                    2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
                    2013267 ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0a0a0a0a

                    DONE > emerging-smtp > all

                    DONE > emerging-snmp > all

                    DONE > emerging-sql > all

                    DONE > emerging-telnet > all

                    DONE > emerging-tftp > all

                    DONE > emerging-tor > all

                    emerging-trojan > all except

                    DONE > emerging-user_agents > all except:
                    2010697 ET USER_AGENTS Suspicious User-Agent Beginning with digits - Likely spyware/trojan

                    DONE > emerging-voip > all

                    DONE > emerging-web_client > all except
                    2011347 ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt
                    2011507 ET WEB_CLIENT PDF With Embedded File
                    2010518 ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)
                    2012119 ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage
                    2012205 ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String
                    2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
                    2012272 ET WEB_CLIENT Hex Obfuscation of eval % Encoding
                    2012398 ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding

                    DONE > emerging-web_server > all except
                    2003099 ET WEB_SERVER Poison Null Byte

                    emerging-web_specific_apps > all except:
                    2010890 ET WEB_SPECIFIC_APPS phpBB3 registration (Step1 GET)
                    2010891 ET WEB_SPECIFIC_APPS phpBB3 registration (Step2 POST)
                    2010892 ET WEB_SPECIFIC_APPS phpBB3 registration (Step3 GET)
                    2010893 ET WEB_SPECIFIC_APPS phpBB3 registration (Step4 POST)

                    DONE > emerging-worm > all

                    DONE > GPLv2 community rules > all except
                    254 DNS SPOOF query response with TTL of 1 min. and no authority
                    384 PROTOCOL-ICMP PING
                    385 PROTOCOL-ICMP traceroute
                    399 PROTOCOL-ICMP Destination Unreachable Host Unreachable
                    402 PROTOCOL-ICMP Destination Unreachable Port Unreachable
                    408 PROTOCOL-ICMP Echo Reply
                    540 POLICY-SOCIAL Microsoft MSN message
                    648 INDICATOR-SHELLCODE x86 NOOP
                    649 INDICATOR-SHELLCODE x86 setgid 0
                    1200 INDICATOR-COMPROMISE Invalid URL
                    1201 INDICATOR-COMPROMISE 403 Forbidden
                    1292 INDICATOR-COMPROMISE directory listing
                    1390 INDICATOR-SHELLCODE x86 inc ebx NOOP
                    1394 INDICATOR-SHELLCODE x86 inc ecx NOOP
                    1437 FILE-IDENTIFY Microsoft Windows Media download detected
                    1841 FILE-OTHER Oracle Javascript URL host spoofing attempt
                    1846 POLICY-MULTIMEDIA vncviewer Java applet download attempt
                    1852 SERVER-WEBAPP robots.txt access
                    1986 POLICY-SOCIAL Microsoft MSN outbound file transfer request
                    1988 POLICY-SOCIAL Microsoft MSN outbound file transfer accept
                    1989 POLICY-SOCIAL Microsoft MSN outbound file transfer rejected
                    1990 POLICY-SOCIAL Microsoft MSN user search
                    1991 POLICY-SOCIAL Microsoft MSN login attempt
                    2180 PUA-P2P BitTorrent announce request
                    2181 PUA-P2P BitTorrent transfer
                    2707 FILE-IMAGE JPEG parser multipacket heap overflow
                    3463 SERVER-WEBAPP awstats access
                    25518 OS-OTHER Apple iPod User-Agent detected
                    25519 OS-OTHER Apple iPad User-Agent detected
                    25520 OS-OTHER Apple iPhone User-Agent detected
                    25521 OS-OTHER Android User-Agent detected
                    25522 OS-OTHER Nokia User-Agent detected
                    25523 OS-OTHER Samsung User-Agent detected
                    25524 OS-OTHER Kindle User-Agent detected
                    25525 OS-OTHER Nintendo User-Agent detected

                    *IPS Policy - Security > all except
                    4152 BROWSER-PLUGINS Microsoft Windows Media Player 6.4 ActiveX object access
                    19436 BROWSER-IE Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt

                    Suppression List:
                    #GLOBAL

                    gen_id 1

                    suppress gen_id 1, sig_id 536
                    suppress gen_id 1, sig_id 648
                    suppress gen_id 1, sig_id 653
                    suppress gen_id 1, sig_id 1390
                    suppress gen_id 1, sig_id 2452
                    suppress gen_id 1, sig_id 11192
                    suppress gen_id 1, sig_id 15306
                    suppress gen_id 1, sig_id 16313
                    suppress gen_id 1, sig_id 17458
                    suppress gen_id 1, sig_id 20583
                    suppress gen_id 1, sig_id 23098
                    suppress gen_id 1, sig_id 2000334
                    suppress gen_id 1, sig_id 2008120
                    suppress gen_id 1, sig_id 2010516
                    suppress gen_id 1, sig_id 20122758
                    suppress gen_id 1, sig_id 2014518
                    suppress gen_id 1, sig_id 2014520
                    suppress gen_id 1, sig_id 2100366
                    suppress gen_id 1, sig_id 2100368
                    suppress gen_id 1, sig_id 2100651
                    suppress gen_id 1, sig_id 2101390
                    suppress gen_id 1, sig_id 2101424
                    suppress gen_id 1, sig_id 2102314
                    suppress gen_id 1, sig_id 2103134
                    suppress gen_id 1, sig_id 2500056
                    suppress gen_id 1, sig_id 100000230
                    suppress gen_id 3, sig_id 14772
                    #(http_inspect) DOUBLE DECODING ATTACK
                    suppress gen_id 119, sig_id 2
                    #(http_inspect) BARE BYTE UNICODE ENCODING
                    suppress gen_id 119, sig_id 4
                    #(http_inspect) IIS UNICODE CODEPOINT ENCODING
                    suppress gen_id 119, sig_id 7
                    #(http_inspect) NON-RFC DEFINED CHAR [**]
                    suppress gen_id 119, sig_id 14
                    #(http_inspect) UNKNOWN METHOD
                    suppress gen_id 119, sig_id 31
                    #(http_inspect) SIMPLE REQUEST
                    suppress gen_id 119, sig_id 32
                    #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
                    suppress gen_id 120, sig_id 2
                    #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
                    suppress gen_id 120, sig_id 3
                    #(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE
                    suppress gen_id 120, sig_id 4
                    #(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
                    suppress gen_id 120, sig_id 6
                    #(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
                    suppress gen_id 120, sig_id 8
                    #(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
                    suppress gen_id 120, sig_id 9

                    Unknown

                    suppress gen_id 120, sig_id 10
                    #(smtp) Attempted response buffer overflow: 1448 chars
                    suppress gen_id 124, sig_id 3
                    #(ftp_telnet) Invalid FTP Command
                    suppress gen_id 125, sig_id 2
                    #(ssp_ssl) Invalid Client HELLO after Server HELLO Detected
                    suppress gen_id 137, sig_id 1
                    #(IMAP) Unknown IMAP4 command
                    suppress gen_id 141, sig_id 1

                    1 Reply Last reply Reply Quote 0
                    • MikeV7896M
                      MikeV7896
                      last edited by May 2, 2016, 2:59 PM May 1, 2016, 12:54 PM

                      @THS:

                      Hey. Thanks for this useful post.
                      Btw this list is 3 years old. Is it still (mostly) up to date ?

                      Also I have a few repeating alerts I can't figure out. Can you help ?

                      1:2018959.  ET POLICY PE EXE or DLL Windows file download HTTP
                      1:28039.    INDICATOR-COMPROMISE Suspicious .pw dns query
                      119:33.  (http_inspect) UNESCAPED SPACE IN HTTP URI

                      Thanks !

                      A few options may have had slight name changes, and I think one has been removed since it was written, but for the most part it's still good.

                      On your repeating alerts…

                      The first one looks like an alert that a .exe or .dll file is being downloaded from the internet. I can see why that would be a common one. Probably safe to suppress or disable this rule, depending on your preference, unless your users shouldn't be downloading executable binary files to their computers.

                      The second one looks like an alert that a potentially suspicious .pw domain is being looked up using DNS. You might want to check the host(s) that the alert is showing up for to make sure there isn't any malicious software on it/them. Of course, if your hosts regularly access systems that are legitimate in the .pw TLD, then you might want to suppress or disable this one.

                      The third is a rather common one regarding a space character in an HTTP URL that isn't being formatted with an escape sequence (i.e. %20), which should be done to adhere to proper specs, but sometimes isn't. This one should be safe to suppress or disable.

                      Edit to add: Your second alert could also be caused by a torrent client, connecting to a user in the country that uses the .pw TLD for data.

                      The S in IOT stands for Security

                      1 Reply Last reply Reply Quote 0
                      • T
                        THS
                        last edited by May 9, 2016, 10:12 AM

                        Hey you were right. It was because of bittorrent. It was blocking all traffic to .PW

                        I turned that rule off.

                        1 Reply Last reply Reply Quote 0
                        • H
                          hamed_forum
                          last edited by Nov 7, 2016, 4:56 AM

                          the google block in snort beacuse (portscan) TCP Portscan
                          i must whats do?
                          Portscan Detection
                          protocol tcp
                          scan type all
                          Sensitivity low

                          1 Reply Last reply Reply Quote 0
                          • F
                            Fobio
                            last edited by Nov 12, 2016, 11:21 AM

                            I have setup snort and it's been running well.  Thank you for those here with the setup tips.

                            Today I tried to download FireFox and it all timed out to address: download-installer.cdn.mozilla.net

                            I've followed the setup and disabled the ET-Policy-Mozilla rule.  What else could be affecting this?  I've done a few searches and haven't found anything here or elsewhere.

                            1 Reply Last reply Reply Quote 0
                            • M
                              Mr. Jingles
                              last edited by Nov 13, 2016, 5:38 PM

                              @Fobio:

                              I have setup snort and it's been running well.  Thank you for those here with the setup tips.

                              Today I tried to download FireFox and it all timed out to address: download-installer.cdn.mozilla.net

                              I've followed the setup and disabled the ET-Policy-Mozilla rule.  What else could be affecting this?  I've done a few searches and haven't found anything here or elsewhere.

                              Normally the alerts tab for the interface should give a clue, does it say anything?

                              6 and a half billion people know that they are stupid, agressive, lower life forms.

                              1 Reply Last reply Reply Quote 0
                              • F
                                Fobio
                                last edited by Nov 14, 2016, 7:01 AM

                                @Mr.:

                                @Fobio:

                                I have setup snort and it's been running well.  Thank you for those here with the setup tips.

                                Today I tried to download FireFox and it all timed out to address: download-installer.cdn.mozilla.net

                                I've followed the setup and disabled the ET-Policy-Mozilla rule.  What else could be affecting this?  I've done a few searches and haven't found anything here or elsewhere.

                                Normally the alerts tab for the interface should give a clue, does it say anything?

                                Likely this:

                                1:2003492 ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)

                                1 Reply Last reply Reply Quote 0
                                • VeldkornetV
                                  Veldkornet
                                  last edited by May 5, 2017, 7:29 AM May 5, 2017, 6:59 AM

                                  Hey guys,

                                  I keep getting the following alert "2000419 ET POLICY PE EXE or DLL Windows file download" but I dot even have emerging-policy.rules enabled (I never have)….. I only have
                                  emerging-botcc.rules
                                  emerging-compromised.rules
                                  emerging-dshield.rules
                                  emerging-exploit.rules
                                  emerging-malware.rules
                                  emerging-trojan.rules
                                  emerging-worm.rules

                                  Is it possible that it's coming from one of these other categories?

                                  I've force disabled it for now, but I have no idea why it's showing up...

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    djseto
                                    last edited by Jun 5, 2017, 4:35 PM

                                    @jflsakfja:

                                    The Missing Part to Quick Snort Setup Instructions for New Users

                                    Instructions on making the most of your shiny new IDS
                                    Snort is designed to block pretty much anything you can think of. That's why there are many false positives. When I first started using snort, I was constantly banging my head on my desk because most sites would be blocked for (seemingly) no reason.
                                    The CORRECT way to stop false positives is to disable the rules causing them, NOT using suppression lists. I may hear you ask "but all other places on the internet say use suppression lists, why shouldn't I?".
                                    A little (simplified) info on how snort works will help you understand why.
                                    Snort takes the packets and analyses them. Matches to the rules will be forwarded to alerts, then pfsense's plugin takes over and bans them. Suppression lists work just before the last step. They stop alerts from being produced. Disabling rules stops the "process" at the very beginning. Why analyze a packet if you are going to ignore it? This saves CPU processing which could be used for other purposes (eg enable more rules).
                                    There are times when this will not work. Rules deep deep inside snort (preprocessor rules) have no way of being disabled (if I'm wrong about this, please correct me). That's where suppression lists become useful.

                                    With that out of the way, this is the process to stop false positives.

                                    1. Identify the rule causing them. On the alerts tab you will find all alerts (no kidding). The last columns should show a number in the format x:YYYY:x and an explanation for the rule.
                                      I'll use this for this example:
                                      x:2000419:x ET POLICY PE EXE or DLL Windows file download
                                    2. copy the YYYY part (2000419). Take a look at the explanation. ET (emerging threats) POLICY. This means you'll find this rule in emerging-policy list.
                                    3. go to the snort home page (services> snort). Click the e to edit interface settings, then go to rules. In the drop down select emerging-policy. Assuming you use firefox, CTRL+F and paste the rule number (called sig_id, signature ID) and click next. For other browsers, find a way to search the page for a term and enter the number there.
                                    4. click the red or yellow (depending if you previously enabled the rule) to turn it into a lighter shade of yellow (see bottom of page).
                                    5. top of page, click apply changes and wait for the page to reload.
                                    6. go back to the snort home page and restart the interface (click the red x until it becomes green, wait a couple of seconds and click it again to turn it back to red) <<< DO NOT FORGET THIS STEP
                                      –----warning!!!-------
                                      as of version 2.5.8 the icons are now swapped. Green is running, red is not running. So invert the colors above

                                    1. relax, the rule is now disabled and will stop generating alerts. Go to blocked tab, and find the ip that it previously banned and unban it (click the button to the right of the explanation).

                                    In that rare case you cannot find the rule causing the alert (eg explanation does not offer information about the list), first check GPLv2 list, then IPS policy list. If you still cannot find it, a suppression entry is needed. Simply click the add to suppression list (little +) next to the rule on the alerts tab. Assuming you have set up your suppression list correctly, it will be added to it. Restart the interface (step 6 above), unban the ip, and you are done!

                                    And now for my contribution to the community. The default enabled rules are too relaxed. We need to enable more rules, but a word of caution. ONLY USE THIS LIST IF YOU HAVE ENOUGH MEMORY.
                                    I'm currently using it on redundant CARP firewalls, with a crappy p4 cpu and 2GB of ram each. The systems average about 25-30% RAM usage.The list below shows how snort is configured on a production environment and works perfectly (for me) but it is not complete. Entries that do not have a DONE > in front of them are NOT COMPLETED. Please review and make changes depending on your environment.

                                    In tab "Rules", under "Category" select:
                                    (--- means blank table at time of writing)

                                    DONE > emerging-activex > all

                                    DONE > emerging-attack_responses > all

                                    DONE > emerging-botcc > all

                                    DONE > emerging-chat > all except:
                                    2010784 ET CHAT Facebook Chat (send message)
                                    2010785 ET CHAT Facebook Chat (buddy list)
                                    2010786 ET CHAT Facebook Chat (settings)
                                    2010819 ET CHAT Facebook Chat using XMPP
                                    2002327 ET CHAT Google Talk (Jabber) Client Login
                                    2002334 ET CHAT Google IM traffic Jabber client sign-on
                                    2001241 ET CHAT MSN file transfer request
                                    2001242 ET CHAT MSN file transfer accept
                                    2001243 ET CHAT MSN file transfer reject
                                    2001682 ET CHAT MSN IM Poll via HTTP
                                    2002192 ET CHAT MSN status change
                                    2008289 ET CHAT Possible MSN Messenger File Transfer
                                    2009375 ET CHAT General MSN Chat Activity
                                    2009376 ET CHAT MSN User-Agent Activity

                                    DONE > emerging-ciarmy > all

                                    DONE > emerging-compromised > all

                                    DONE > emerging-current_events > all

                                    DONE > emerging-deleted > ---

                                    DONE > emerging-dns > all except:
                                    2008446 ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10
                                    seconds) - possible Cache Poisoning Attempt
                                    2008470 ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups
                                    2001117 ET DNS Standard query response, Name Error

                                    DONE > emerging-dos > all

                                    DONE > emerging-drop > all

                                    DONE > emerging-dshield > all

                                    DONE > emerging-exploit > all except:
                                    2001058 ET EXPLOIT libpng tRNS overflow attempt
                                    2002913 ET EXPLOIT VNC Client response
                                    2002914 ET EXPLOIT VNC Server VNC Auth Offer
                                    2002919 ET EXPLOIT VNC Good Authentication Reply
                                    2002915 ET EXPLOIT VNC Authentication Reply
                                    2002758 ET EXPLOIT WMF Escape Record Exploit - Version 1
                                    2002742 ET EXPLOIT WMF Escape Record Exploit - Version 3

                                    DONE > emerging-ftp > all

                                    DONE > emerging-games > all

                                    DONE > emerging-icmp > ---

                                    DONE > emerging-icmp_info > ---

                                    DONE > emerging-imap > ---

                                    DONE > emerging-inappropriate > all except:
                                    2002925 ET INAPPROPRIATE Google Image Search, Safe Mode Off
                                    2001608 ET INAPPROPRIATE Likely Porn

                                    DONE > emerging-info > all except:
                                    2014472 ET INFO JAVA - Java Archive Download
                                    2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
                                    2014819 ET INFO Packed Executable Download
                                    2015016 ET INFO FTP STOR to External Network
                                    2015561 ET INFO PDF Using CCITTFax Filter
                                    2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
                                    2016360 ET INFO JAVA - ClassID
                                    2016361 ET INFO JAVA - ClassID
                                    2016404 ET INFO MPEG Download Over HTTP (1)

                                    DONE > emerging-malware > all except:
                                    2008438 ET MALWARE Possible Windows executable sent when remote host claims to send a Text File

                                    DONE > emerging-misc > all

                                    DONE > emerging-mobile_malware > all except:
                                    2012251 ET MOBILE_MALWARE Google Android Device HTTP Request
                                    2012848 ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URI

                                    DONE > emerging-netbios > all

                                    DONE > emerging-p2p > all except:
                                    2000369 ET P2P BitTorrent Announce
                                    2007727 ET P2P possible torrent download
                                    2008581 ET P2P BitTorrent DHT ping request
                                    2008583 ET P2P BitTorrent DHT nodes reply
                                    2008585 ET P2P BitTorrent DHT announce_peers request
                                    2010144 ET P2P Vuze BT UDP Connection (5)
                                    2011699 ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x)

                                    *emerging-policy > all except:
                                    2000419 ET POLICY PE EXE or DLL Windows file download
                                    2000428 ET POLICY ZIP file download
                                    2001115 ET POLICY MSI (microsoft installer file) download
                                    2003595 ET POLICY exe download via HTTP - Informational
                                    2001898 ET POLICY eBay Bid Placed
                                    2001907 ET POLICY eBay Placing Item for sale
                                    2001908 ET POLICY eBay View Item
                                    2001909 ET POLICY eBay Watch This Item
                                    2003303 ET POLICY FTP Login Attempt (non-anonymous)
                                    2003410 ET POLICY FTP Login Successful
                                    2003121 ET POLICY docs.google.com Activity
                                    2003597 ET POLICY Google Calendar in Use
                                    2002801 ET POLICY Google Desktop User-Agent Detected
                                    2002838 ET POLICY Google Search Appliance browsing the Internet
                                    2000035 ET POLICY Hotmail Inbox Access
                                    2000036 ET POLICY Hotmail Message Access
                                    2000037 ET POLICY Hotmail Compose Message Access
                                    2000038 ET POLICY Hotmail Compose Message Submit
                                    2000039 ET POLICY Hotmail Compose Message Submit Data
                                    2008238 ET POLICY Hotmail Inbox Access
                                    2008239 ET POLICY Hotmail Message Access
                                    2008240 ET POLICY Hotmail Compose Message Access
                                    2008242 ET POLICY Hotmail Access Full Mode
                                    2006408 ET POLICY HTTP Request on Unusual Port Possibly Hostile
                                    2006409 ET POLICY HTTP POST on unusual Port Possibly Hostile
                                    2002330 ET POLICY Google Talk TLS Client Traffic
                                    2002332 ET POLICY Google IM traffic Windows client user sign-on
                                    2002333 ET POLICY Google IM traffic friend invited
                                    2002878 ET POLICY iTunes User Agent
                                    2002722 ET POLICY MP3 File Transfer Outbound
                                    2002723 ET POLICY MP3 File Transfer Inbound
                                    2001114 ET POLICY Mozilla XPI install files download
                                    2001973 ET POLICY SSH Server Banner Detected on Expected Port
                                    2001974 ET POLICY SSH Client Banner Detected on Expected Port
                                    2001975 ET POLICY SSHv2 Server KEX Detected on Expected Port
                                    2001976 ET POLICY SSHv2 Client KEX Detected on Expected Port
                                    2001977 ET POLICY SSHv2 Client New Keys detected on Expected Port
                                    2001978 ET POLICY SSH session in progress on Expected Port
                                    2001979 ET POLICY SSH Server Banner Detected on Unusual Port
                                    2001980 ET POLICY SSH Client Banner Detected on Unusual Port
                                    2001981 ET POLICY SSHv2 Server KEX Detected on Unusual Port
                                    2001982 ET POLICY SSHv2 Client KEX Detected on Unusual Port
                                    2001983 ET POLICY SSHv2 Client New Keys Detected on Unusual Port
                                    2001984 ET POLICY SSH session in progress on Unusual Port
                                    2013031 ET POLICY Python-urllib/ Suspicious User Agent
                                    2013414 ET POLICY Executable served from Amazon S3
                                    2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
                                    2012647 ET POLICY Dropbox.com Offsite File Backup in Use
                                    2012648 ET POLICY Dropbox Client Broadcasting
                                    2014313 ET POLICY Executable Download From DropBox

                                    DONE > emerging-pop3 > ---

                                    DONE > emerging-rbn-malvertisers > all

                                    DONE > emerging-rbn > all

                                    DONE > emerging-rpc > ---

                                    DONE > emerging-scada > all

                                    DONE > emerging-scan > all except
                                    2002992 ET SCAN Rapid POP3 Connections - Possible Brute Force Attack
                                    2002993 ET SCAN Rapid POP3S Connections - Possible Brute Force Attack
                                    2002994 ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
                                    2002995 ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack

                                    DONE > emerging-shellcode > all except
                                    2011803 ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
                                    2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
                                    2012257 ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String
                                    2012510 ET SHELLCODE UTF-8/16 Encoded Shellcode
                                    2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
                                    2013267 ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0a0a0a0a

                                    DONE > emerging-smtp > all

                                    DONE > emerging-snmp > all

                                    DONE > emerging-sql > all

                                    DONE > emerging-telnet > all

                                    DONE > emerging-tftp > all

                                    DONE > emerging-tor > all

                                    emerging-trojan > all except

                                    DONE > emerging-user_agents > all except:
                                    2010697 ET USER_AGENTS Suspicious User-Agent Beginning with digits - Likely spyware/trojan

                                    DONE > emerging-voip > all

                                    DONE > emerging-web_client > all except
                                    2011347 ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt
                                    2011507 ET WEB_CLIENT PDF With Embedded File
                                    2010518 ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)
                                    2012119 ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage
                                    2012205 ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String
                                    2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
                                    2012272 ET WEB_CLIENT Hex Obfuscation of eval % Encoding
                                    2012398 ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding

                                    DONE > emerging-web_server > all except
                                    2003099 ET WEB_SERVER Poison Null Byte

                                    emerging-web_specific_apps > all except:
                                    2010890 ET WEB_SPECIFIC_APPS phpBB3 registration (Step1 GET)
                                    2010891 ET WEB_SPECIFIC_APPS phpBB3 registration (Step2 POST)
                                    2010892 ET WEB_SPECIFIC_APPS phpBB3 registration (Step3 GET)
                                    2010893 ET WEB_SPECIFIC_APPS phpBB3 registration (Step4 POST)

                                    DONE > emerging-worm > all

                                    DONE > GPLv2 community rules > all except
                                    254 DNS SPOOF query response with TTL of 1 min. and no authority
                                    384 PROTOCOL-ICMP PING
                                    385 PROTOCOL-ICMP traceroute
                                    399 PROTOCOL-ICMP Destination Unreachable Host Unreachable
                                    402 PROTOCOL-ICMP Destination Unreachable Port Unreachable
                                    408 PROTOCOL-ICMP Echo Reply
                                    540 POLICY-SOCIAL Microsoft MSN message
                                    648 INDICATOR-SHELLCODE x86 NOOP
                                    649 INDICATOR-SHELLCODE x86 setgid 0
                                    1200 INDICATOR-COMPROMISE Invalid URL
                                    1201 INDICATOR-COMPROMISE 403 Forbidden
                                    1292 INDICATOR-COMPROMISE directory listing
                                    1390 INDICATOR-SHELLCODE x86 inc ebx NOOP
                                    1394 INDICATOR-SHELLCODE x86 inc ecx NOOP
                                    1437 FILE-IDENTIFY Microsoft Windows Media download detected
                                    1841 FILE-OTHER Oracle Javascript URL host spoofing attempt
                                    1846 POLICY-MULTIMEDIA vncviewer Java applet download attempt
                                    1852 SERVER-WEBAPP robots.txt access
                                    1986 POLICY-SOCIAL Microsoft MSN outbound file transfer request
                                    1988 POLICY-SOCIAL Microsoft MSN outbound file transfer accept
                                    1989 POLICY-SOCIAL Microsoft MSN outbound file transfer rejected
                                    1990 POLICY-SOCIAL Microsoft MSN user search
                                    1991 POLICY-SOCIAL Microsoft MSN login attempt
                                    2180 PUA-P2P BitTorrent announce request
                                    2181 PUA-P2P BitTorrent transfer
                                    2707 FILE-IMAGE JPEG parser multipacket heap overflow
                                    3463 SERVER-WEBAPP awstats access
                                    25518 OS-OTHER Apple iPod User-Agent detected
                                    25519 OS-OTHER Apple iPad User-Agent detected
                                    25520 OS-OTHER Apple iPhone User-Agent detected
                                    25521 OS-OTHER Android User-Agent detected
                                    25522 OS-OTHER Nokia User-Agent detected
                                    25523 OS-OTHER Samsung User-Agent detected
                                    25524 OS-OTHER Kindle User-Agent detected
                                    25525 OS-OTHER Nintendo User-Agent detected

                                    *IPS Policy - Security > all except
                                    4152 BROWSER-PLUGINS Microsoft Windows Media Player 6.4 ActiveX object access
                                    19436 BROWSER-IE Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt

                                    Suppression List:
                                    #GLOBAL

                                    gen_id 1

                                    suppress gen_id 1, sig_id 536
                                    suppress gen_id 1, sig_id 648
                                    suppress gen_id 1, sig_id 653
                                    suppress gen_id 1, sig_id 1390
                                    suppress gen_id 1, sig_id 2452
                                    suppress gen_id 1, sig_id 11192
                                    suppress gen_id 1, sig_id 15306
                                    suppress gen_id 1, sig_id 16313
                                    suppress gen_id 1, sig_id 17458
                                    suppress gen_id 1, sig_id 20583
                                    suppress gen_id 1, sig_id 23098
                                    suppress gen_id 1, sig_id 2000334
                                    suppress gen_id 1, sig_id 2008120
                                    suppress gen_id 1, sig_id 2010516
                                    suppress gen_id 1, sig_id 20122758
                                    suppress gen_id 1, sig_id 2014518
                                    suppress gen_id 1, sig_id 2014520
                                    suppress gen_id 1, sig_id 2100366
                                    suppress gen_id 1, sig_id 2100368
                                    suppress gen_id 1, sig_id 2100651
                                    suppress gen_id 1, sig_id 2101390
                                    suppress gen_id 1, sig_id 2101424
                                    suppress gen_id 1, sig_id 2102314
                                    suppress gen_id 1, sig_id 2103134
                                    suppress gen_id 1, sig_id 2500056
                                    suppress gen_id 1, sig_id 100000230
                                    suppress gen_id 3, sig_id 14772
                                    #(http_inspect) DOUBLE DECODING ATTACK
                                    suppress gen_id 119, sig_id 2
                                    #(http_inspect) BARE BYTE UNICODE ENCODING
                                    suppress gen_id 119, sig_id 4
                                    #(http_inspect) IIS UNICODE CODEPOINT ENCODING
                                    suppress gen_id 119, sig_id 7
                                    #(http_inspect) NON-RFC DEFINED CHAR [**]
                                    suppress gen_id 119, sig_id 14
                                    #(http_inspect) UNKNOWN METHOD
                                    suppress gen_id 119, sig_id 31
                                    #(http_inspect) SIMPLE REQUEST
                                    suppress gen_id 119, sig_id 32
                                    #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
                                    suppress gen_id 120, sig_id 2
                                    #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
                                    suppress gen_id 120, sig_id 3
                                    #(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE
                                    suppress gen_id 120, sig_id 4
                                    #(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
                                    suppress gen_id 120, sig_id 6
                                    #(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
                                    suppress gen_id 120, sig_id 8
                                    #(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
                                    suppress gen_id 120, sig_id 9

                                    Unknown

                                    suppress gen_id 120, sig_id 10
                                    #(smtp) Attempted response buffer overflow: 1448 chars
                                    suppress gen_id 124, sig_id 3
                                    #(ftp_telnet) Invalid FTP Command
                                    suppress gen_id 125, sig_id 2
                                    #(ssp_ssl) Invalid Client HELLO after Server HELLO Detected
                                    suppress gen_id 137, sig_id 1
                                    #(IMAP) Unknown IMAP4 command
                                    suppress gen_id 141, sig_id 1

                                    I did the above and I'm getting this error in my System Logs and Snort isn't starting:

                                    FATAL ERROR: /usr/local/etc/snort/snort_63694_igb0/rules/snort.rules(5021) byte_test rule option cannot extract more than 4 bytes without valid string prefix.

                                    1 Reply Last reply Reply Quote 0
                                    • B
                                      bmeeks
                                      last edited by Jun 12, 2017, 10:15 PM

                                      @djseto:

                                      I did the above and I'm getting this error in my System Logs and Snort isn't starting:

                                      FATAL ERROR: /usr/local/etc/snort/snort_63694_igb0/rules/snort.rules(5021) byte_test rule option cannot extract more than 4 bytes without valid string prefix.

                                      Have you searched this sub-forum using the error message text?  If you do, you should encounter this recent thread with your answer:
                                      https://forum.pfsense.org/index.php?topic=130993.msg722272#msg722272.

                                      Bill

                                      1 Reply Last reply Reply Quote 0
                                      • B
                                        bimmerdriver
                                        last edited by Sep 7, 2017, 11:33 PM

                                        OP, thank you for providing this guide.

                                        I have some questions.

                                        @bmeeks:

                                        16.  Click the Preprocessors tab.

                                        17.  Scroll down into the General Preprocessor Settings area and then check (or enable) all of the preprocessors listed in that section EXCEPT the Sensitive Data preprocessor.  It can cause a lot of alerts and is best used after you gain some experience with Snort.

                                        It's not clear which section of preprocessors you are talking about. There is no General Preprocessor Settings area.

                                        @bmeeks:

                                        19.  Now click on the Categories tab.  This is where we will choose a threat detection policy and associated rules.

                                        20.  If you followed my advice for Snort VRT rules, this page is easy.  Just click the check box for "Use IPS Policy" and then select "Connectivity" in the drop-down.  Click Save and you're done!  Once you gain some experience with Snort, you can come back and choose one of the other two more restrictive policies.  I personally run "Balanced", but it will require some tuning if run in blocking mode.

                                        What is the difference between Connectivity and Balanced. The description does not explain the difference.

                                        Connectivity blocks most major threats with few or no false positives. Balanced is a good starter policy.
                                        It is speedy, has good base coverage level, and covers most threats of the day. It includes all rules in Connectivity.

                                        1 Reply Last reply Reply Quote 0
                                        • M
                                          Mr. Jingles
                                          last edited by Sep 7, 2017, 11:58 PM

                                          @bimmerdriver:

                                          OP, thank you for providing this guide.

                                          I have some questions.

                                          @bmeeks:

                                          16.  Click the Preprocessors tab.

                                          17.  Scroll down into the General Preprocessor Settings area and then check (or enable) all of the preprocessors listed in that section EXCEPT the Sensitive Data preprocessor.  It can cause a lot of alerts and is best used after you gain some experience with Snort.

                                          It's not clear which section of preprocessors you are talking about. There is no General Preprocessor Settings area.

                                          @bmeeks:

                                          19.  Now click on the Categories tab.  This is where we will choose a threat detection policy and associated rules.

                                          20.  If you followed my advice for Snort VRT rules, this page is easy.  Just click the check box for "Use IPS Policy" and then select "Connectivity" in the drop-down.  Click Save and you're done!  Once you gain some experience with Snort, you can come back and choose one of the other two more restrictive policies.  I personally run "Balanced", but it will require some tuning if run in blocking mode.

                                          What is the difference between Connectivity and Balanced. The description does not explain the difference.

                                          Connectivity blocks most major threats with few or no false positives. Balanced is a good starter policy.
                                          It is speedy, has good base coverage level, and covers most threats of the day. It includes all rules in Connectivity.

                                          First: what bimmer do you drive? I have an E39, and a F01  :) Which one do you have? Engine? Automatic gear or manual? Color? Most important Options? In Bimmer world, we are One Big Family  :-*

                                          1. The General Preprocessor Settings indeed is gone. My guess is it is now 'Basic configuration settings', and a lot of other settings that used to be in 'General settings'. I think you could accept the defaults. 'Sensititive data' is now a separate setting all together: unflag it.
                                          2. "Connectivity" versus "balanced" is described: one is more restrictive than the other. It is really nothing more than this: in one setting more categories and rules are enabled than in the other, by default. If you wish to know which ones, enable one settings, and then inspect the rules-tab to find out. It is just a helpful default suggestion from Bill, nothing more. He didn't write a tutorial for stuff you can easily see yourself by simply enabling the setting  ;)

                                          6 and a half billion people know that they are stupid, agressive, lower life forms.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.