Snort , so good that it blocks everything

gerry613

Hello there.
I went through probably 20 posts about this and I am glad that to know that I am not the only one.
So basically I have the latest version of pfsense and snort.
I used the following to set it up:
https://doc.pfsense.org/index.php/Setup_Snort_Package

and it works great. However I barely can browse the internet any more because it is blocking most of the traffic.
I disabled the "block Offender" option and started to look at the log to create a whitelist
However those log does not give any useful info.
The priority, Class and desc doesn't help much so unless i check each ip one by one , it is pretty hard to filter.
Even when I get the source and it shows "HTTP inspect unknown method |" or " multiple encoding within Javascript: etc .. well what you guys do int his situation ?

I found couple usefull post where people are sharing their own list but ultimately I would like to understand the process and not just copy past.

For now, I am just letting everything passing through but I really would like to be  able to filter without affecting the network asap.

Thank you for your help.

Harvy66

It think it's recommended to put snort into a learning mode, then it will log which traffic would be blocked by which rules. They you trim back rules that would affect your normal usage.

KOM

When I was playing with it, I didn't have it block anything automatically.  I wanted time to watch what it does and what it reports on, especially when listening on LAN.  I really don't want it blocking all my users for things like running Dropbox, etc.

bmeeks

@gerry613:

Hello there.
I went through probably 20 posts about this and I am glad that to know that I am not the only one.
So basically I have the latest version of pfsense and snort.
I used the following to set it up:
https://doc.pfsense.org/index.php/Setup_Snort_Package

and it works great. However I barely can browse the internet any more because it is blocking most of the traffic.
I disabled the "block Offender" option and started to look at the log to create a whitelist
However those log does not give any useful info.
The priority, Class and desc doesn't help much so unless i check each ip one by one , it is pretty hard to filter.
Even when I get the source and it shows "HTTP inspect unknown method |" or " multiple encoding within Javascript: etc .. well what you guys do int his situation ?

I found couple usefull post where people are sharing their own list but ultimately I would like to understand the process and not just copy past.

For now, I am just letting everything passing through but I really would like to be  able to filter without affecting the network asap.

Thank you for your help.

There are a couple of good threads in the Packages forum showing some common Suppress List settings for Snort.  Search for "master suppress list" in that forum and at least one good thread should pop up.  Follow the suggestions found there.  What you are seeing are the common Snort false positives.  These happen because IDS software such as Snort and Suricata inspects traffic against some very rigid RFCs, but many commercial servers (web servers) and software do not strictly adhere to the RFCs.  The HTTP_INSPECT preprocessor in Snort is very famous for false positives due to this strict adherence to the standards.

Bill

gerry613

Thank you all
Thank you Bill as well. It is the posts I was talking about.
This is great info but the work is pre-done (I am not complaining about that) it is just that I might need to block stuff that any other person would allow.
I like to understand what is happening.

So for now, back in learning mode and I try to check as many alerts as i can. to find out what it is exactly.