Snort "disable http alerts"



  • I am not seeing where this is an option in the newest snort release.  I have x64 nano.  I have the older version with this option.  Was there a reason why it was removed? I think it made the package more stable? I have had the older version running for months with no issues.  I am having serious http false positives with the newest version.



  • @newbieuser1234:

    I am not seeing where this is an option in the newest snort release.  I have x64 nano.  I have the older version with this option.  Was there a reason why it was removed? I think it made the package more stable? I have had the older version running for months with no issues.  I am having serious http false positives with the newest version.

    It's not removed. It was moved to the "per engine" configuration screen.  Beginning with the v3.0.0 Snort package, you can have multiple engine configuration targets for some of the preprocessors.  These targets allow you to customize the settings for various hosts/networks in your environment.

    To see the setting, go to the Preprocessors tab.  In the HTTP Inspect section, click the e icon beside the default engine.  This will open the details pane where you will find the setting you are asking about.

    The new multi-engine configuration lets you specify unique settings for various hosts or networks in your environment.  For example, one web host might be running Apache while two others run IIS.  With the old Snort you could only choose one web server option that applied to all web hosts.  Now you can split up hosts/networks (using defined Aliases) and individually tailor Snort protections for specific hosts.  There is always a "default" engine defined that cannot be deleted.  This default engine catches any traffic destined for hosts not defined by a configuration engine.  This capability exists now for the HTTP Inspect, Frag3, Stream5, FTP Server and FTP Client preprocessors.

    Two screenshots are attached below illustrating the process.  Unfortunately they posted backwards.  The bottom image is the first screen you see, then the second image shows the second window.






  • If i am having problem with http slowness and inspect blocks is it correct to disable the alerts to make it faster?



  • @newbieuser1234:

    If i am having problem with http slowness and inspect blocks is it correct to disable the alerts to make it faster?

    newbieuser1234:

    The way to solve your issues is by adding these alerts to the Suppress List.  Go to the Alerts tab, and for each HTTP Inspect block you think is bogus, click the plus icon (+) in the SID column.  That will automatically add that alert to the Suppress List and it won't cause further blocks.  Do this for all the HTTP Inspect alerts you don't want to cause blocks, then stop and restart Snort on that interface when you're done.

    Alternatively, run Snort in non-blocking mode for several days or weeks to get a feel for the traffic in your environment.  Look at the Alert logs and add Suppress Entries for things you believe are false positives.  Once you have a good Suppress List with few or no false positives showing up in the Alerts, then put Snort back into blocking mode.  You do this on the Interface Edit tab for the interface in Snort.

    Bill


Log in to reply