Snort blocks many websites with "block offender" checked



  • I've been having issues with Snort,  I tried checking the box that says "block offender"  automatically block hosts that generate a snort alert.

    I am using the free Snort VRT Rules through oinkmaster, emerging threats and community rules.

    I am either missing a setting or at least one set of these rule sets is too restrictive for everyday web access with the "block offender" box checked.  I will be blocked from many websites, such as the news sites Foxnews.com, Yahoo. Other sites such as Centurylink.com had no access at all.

    I am interested to know what are others doing with this setting?



  • The HTTP preprocessor does fire a lot of false positives. You can either add the single rules to your suppress list or enable this setting:

    Disable Alerts from this engine configuration. Default is Not Checked.

    You can find it under the settings for your Interface -> <interface name="">Preprocessors -> HTTP Inspect / Server Configuration (click the E to edit)</interface>



  • @fragged:

    The HTTP preprocessor does fire a lot of false positives. You can either add the single rules to your suppress list or enable this setting:

    Disable Alerts from this engine configuration. Default is Not Checked.

    You can find it under the settings for your Interface -> <interface name="">Preprocessors -> HTTP Inspect / Server Configuration (click the E to edit)</interface>

    Thanks, I'll give that setting a try, I don't have time to deal with single rules at the moment, maybe at a later date. Take Centurylink.com; it generated 19 blocks from one session. I went through the logs and checked a quite few of the blocks manually and found no actual threats.

    it makes sense to me to block offenders, providing it detects actual offenders without all the false positives.



  • @iraiam:

    @fragged:

    The HTTP preprocessor does fire a lot of false positives. You can either add the single rules to your suppress list or enable this setting:

    Disable Alerts from this engine configuration. Default is Not Checked.

    You can find it under the settings for your Interface -> <interface name="">Preprocessors -> HTTP Inspect / Server Configuration (click the E to edit)</interface>

    Thanks, I'll give that setting a try, I don't have time to deal with single rules at the moment, maybe at a later date. Take Centurylink.com; it generated 19 blocks from one session. I went through the logs and checked a quite few of the blocks manually and found no actual threats.

    it makes sense to me to block offenders, providing it detects actual offenders without all the false positives.

    The HTTP_INSPECT preprocessor is unfortunately very good at generating false positives.  Some of them are likely the fault of code in the preprocessor itself, but many are due to various web servers not adhering strictly to the standards.  No matter which is the real problem, it's a fact of like for IDS/IPS admins that false positives will occur.  Snort on pfSense uses the binary file produced by the Snort VRT, so any bugs in that code show up in pfSense.

    There is a thread that lists many of the known false-positives, and some users have shared their Suppress Lists.  You might want to try some of their shared settings.  Here is the link:  https://forum.pfsense.org/index.php/topic,56267.0.html


Log in to reply