Snort not working



  • Snort is only detecting http_inspect. It's always 'http_inspect: UNKNOWN METHOD' or 'http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE'. I've tried using IDSWakeup, which didn't trigger anything. I also tried an online port scanner, which didn't trigger anything. I have set snort up listening on the WAN port. I should probably note that my ISP requires me to set up a virtual WAN port on VLAN 35, and that is what snort is listening on.

    Screenshots: http://imgur.com/a/BtYoq

    Yes, I have updated the rules, and I have restarted Snort.



  • @laptopdude90:

    Snort is only detecting http_inspect. It's always 'http_inspect: UNKNOWN METHOD' or 'http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE'. I've tried using IDSWakeup, which didn't trigger anything. I also tried an online port scanner, which didn't trigger anything. I have set snort up listening on the WAN port. I should probably note that my ISP requires me to set up a virtual WAN port on VLAN 35, and that is what snort is listening on.

    Screenshots: http://imgur.com/a/BtYoq

    Yes, I have updated the rules, and I have restarted Snort.

    Those are very common false positives.  Did you read the threads here in the Packages sub-forum about generating a Suppress List so that the known false positives don't trigger?  Search this forum for threads about Suppress List generation.

    Do you have blocking enabled on your interfaces?  You set this on the INTERFACE settings tab.

    Bill



  • @bmeeks:

    @laptopdude90:

    Snort is only detecting http_inspect. It's always 'http_inspect: UNKNOWN METHOD' or 'http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE'. I've tried using IDSWakeup, which didn't trigger anything. I also tried an online port scanner, which didn't trigger anything. I have set snort up listening on the WAN port. I should probably note that my ISP requires me to set up a virtual WAN port on VLAN 35, and that is what snort is listening on.

    Screenshots: http://imgur.com/a/BtYoq

    Yes, I have updated the rules, and I have restarted Snort.

    Those are very common false positives.  Did you read the threads here in the Packages sub-forum about generating a Suppress List so that the known false positives don't trigger?  Search this forum for threads about Suppress List generation.

    Do you have blocking enabled on your interfaces?  You set this on the INTERFACE settings tab.

    Bill

    The problem isn't the false positives, it's the fact that they're the only things that trigger.

    What do you mean about this blocking interfaces thing? Where do I find it?



  • @laptopdude90:

    @bmeeks:

    @laptopdude90:

    Snort is only detecting http_inspect. It's always 'http_inspect: UNKNOWN METHOD' or 'http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE'. I've tried using IDSWakeup, which didn't trigger anything. I also tried an online port scanner, which didn't trigger anything. I have set snort up listening on the WAN port. I should probably note that my ISP requires me to set up a virtual WAN port on VLAN 35, and that is what snort is listening on.

    Screenshots: http://imgur.com/a/BtYoq

    Yes, I have updated the rules, and I have restarted Snort.

    Those are very common false positives.  Did you read the threads here in the Packages sub-forum about generating a Suppress List so that the known false positives don't trigger?  Search this forum for threads about Suppress List generation.

    Do you have blocking enabled on your interfaces?  You set this on the INTERFACE settings tab.

    Bill

    The problem isn't the false positives, it's the fact that they're the only things that trigger.

    What do you mean about this blocking interfaces thing? Where do I find it?

    1.  From the pfSense menu, choose Services…Snort.

    2.  When the Snort tabs appear, either double-click on a selected interface or click the "e" icon to edit that interface.

    3.  The action in #2 above will open a new set of tabs for that specific interface's configuration.  On the SETTINGS tab you will find checkboxes for enabling the blocking of offenders.

    You can see what blocks have been put in place by clicking the BLOCKED tab.

    Where do you have Snort configured? Is it on the WAN interface or another one?  And how specifically did you run the IDSWakeup test?  Did you run that from a remote machine and target the firewall interface where Snort was running?  Depending on where you browse to and the amount of traffic on your network, it is quite common to have few Snort alerts.  For instance, on my home LAN where Snort is configured on the WAN and LAN, I get maybe one LAN alert per week because there is just me and my wife surfing and we have only a few favorite sites we visit.  On the WAN side I get a number of alerts per hour from some IP blacklists using the IP REPUTATION preprocessor.

    Bill



  • @bmeeks:

    @laptopdude90:

    @bmeeks:

    @laptopdude90:

    Snort is only detecting http_inspect. It's always 'http_inspect: UNKNOWN METHOD' or 'http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE'. I've tried using IDSWakeup, which didn't trigger anything. I also tried an online port scanner, which didn't trigger anything. I have set snort up listening on the WAN port. I should probably note that my ISP requires me to set up a virtual WAN port on VLAN 35, and that is what snort is listening on.

    Screenshots: http://imgur.com/a/BtYoq

    Yes, I have updated the rules, and I have restarted Snort.

    Those are very common false positives.  Did you read the threads here in the Packages sub-forum about generating a Suppress List so that the known false positives don't trigger?  Search this forum for threads about Suppress List generation.

    Do you have blocking enabled on your interfaces?  You set this on the INTERFACE settings tab.

    Bill

    The problem isn't the false positives, it's the fact that they're the only things that trigger.

    What do you mean about this blocking interfaces thing? Where do I find it?

    1.  From the pfSense menu, choose Services…Snort.

    2.  When the Snort tabs appear, either double-click on a selected interface or click the "e" icon to edit that interface.

    3.  The action in #2 above will open a new set of tabs for that specific interface's configuration.  On the SETTINGS tab you will find checkboxes for enabling the blocking of offenders.

    You can see what blocks have been put in place by clicking the BLOCKED tab.

    Where do you have Snort configured? Is it on the WAN interface or another one?  And how specifically did you run the IDSWakeup test?  Did you run that from a remote machine and target the firewall interface where Snort was running?  Depending on where you browse to and the amount of traffic on your network, it is quite common to have few Snort alerts.  For instance, on my home LAN where Snort is configured on the WAN and LAN, I get maybe one LAN alert per week because there is just me and my wife surfing and we have only a few favorite sites we visit.  On the WAN side I get a number of alerts per hour from some IP blacklists using the IP REPUTATION preprocessor.

    Bill

    Blocking is turned off. Snort is configured on the WAN interface. I ran the test from my father's network on my linux laptop, directed toward my IP.