Question about snort - help



  • snort running in my computer
    But there are sites that it blocks access to them

    Is there a place to enroll site
    That snort does not block

    I tried to insert the name of website in the tab of white list

    But without success
    Then I realized that you first add the site name
    in the tab "aliases"
    I wrote down the name of the site name and its IP
    But it is still blocked

    I guess I'm doing something wrong
    I just do not know what

    How do I prevent from snort to block me certain sites

    In short I got into trouble with it






  • Snort blocks sites based on some logic. If you did not follow the proper set up instructions, of course it will block every site it comes across (simple html request). Please see:

    http://forum.pfsense.org/index.php/topic,61018.0.html
    http://forum.pfsense.org/index.php/topic,64674.0.html
    http://forum.pfsense.org/index.php/topic,56267.0.html

    and read ALL posts in those topics before proceeding with setting up snort.



  • It's a day's work
    If there is a problem
    Is there a way to return to the previous state without having to go one by one

    I understood the intent
    Instead snort check the browsing and will cancel the block {suppress List}

    He does not check at all

    But for 10 or 20 sites
    Is it worth all the work

    I now want to try the suppress List
    I do not have a lot of sites have a problem with them
    Barely six

    How do I know which law follow what site

    I get the list of blocked
    I see only ip
    I do not see the name of the site



  • @firefox:

    It's a day's work
    If there is a problem
    Is there a way to return to the previous state without having to go one by one

    I understood the intent
    Instead snort check the browsing and will cancel the block {suppress List}

    He does not check at all

    But for 10 or 20 sites
    Is it worth all the work

    I now want to try the suppress List
    I do not have a lot of sites have a problem with them
    Barely six

    How do I know which law follow what site

    I get the list of blocked
    I see only ip
    I do not see the name of the site

    More than likely it is the HTTP_INSPECT preprocessor that is causing you issues.  It can be overly aggressive.  I saw some traffic on the Snort-Developer mailing list over the weekend discussing some bugs in the behavior of this preprocessor.  The Snort developers said some improvements were in the works for a later Snort binary release.

    In the meantime, look in the ALERTS tab of Snort and you will probably see some alerts from the HTTP_INSPECT preprocessor.  These will have the words (http_inspect) under the Description column.  In the SID column will be a number pair such as 120:8.  This is the code for Generator ID and Signature ID.  In this example, the alert is coming from Generator ID 120 (which is the HTTP_INSPECT preprocessor) and the specific alert is from Signature ID 8.  Underneath the number pair will be a plus icon (+).  Clicking that icon will automatically add that SID to the Suppress List for the interface.  Once on the Suppress List, that alert will not cause any further blocks.

    As for IP addresses, a lookup icon is coming in the next Snort package version, but for most high-traffic web sites this is not generally too useful because they have a number of individual IP addresses behind a load-balancer system.  For example, do a nslookup on "yahoo.com" and you will see a number of IP addresses returned.  So for any given session, your browser could connect to any one of those IP addresses.

    Bill



  • As for IP addresses, a lookup icon is coming in the next Snort package version, but for most high-traffic web sites this is not generally too useful because they have a number of individual IP addresses behind a load-balancer system.  For example, do a nslookup on "yahoo.com" and you will see a number of IP addresses returned.  So for any given session, your browser could connect to any one of those IP addresses.

    Bill

    I guess that's what I will be able to use the tab of aliases
    Or I did not understand well



  • @firefox:

    I guess that's what I will be able to use the tab of aliases
    Or I did not understand well

    Aliases in the Whitelist are still a bit in the future (if ever).  There are lots of issues to iron out in order to pull that off.  I was simply talking about the ability on the ALERTS or BLOCKED tabs of being able to click an icon and perform a reverse DNS lookup on the displayed IP address.  This is more of a convenience some other users asked for.

    Bill



  • I know what you mean
    I just thought I'd do it in a warped {Around it}
    Because the correct path a bit complicated
    Or rather a lot of time working

    in thr alerts tab
    There is a list of sites that snort alerts from them

    Near the each alert there are a plus sign + adds the alert to suppression
    The problem I do not know what is real and what alerts are false

    How do I know?
    Otherwise it was simple
    Add all there to suppression list

    How can you add more files with high weight in a single message




  • Another image




  • Another image



Log in to reply