Snort false positives? Are those some false positives?

pftdm007

Hello fellow Snort users!

I have made some changes to my firewall running Snort 2.9.7.6 pkg v3.2.9.1 and once again I am flooded with alarms that appear to be false positives as they are initiated from sites I trust (or should I?).  With this topic I am hoping to clarify a few things, namely:

-Can I trust the sites generating these alarms even if Snort detects problems with them?
-What are those alarms and their meanings?
-Are they false positives?

For example, I constantly get the following alarms:

(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
This is mostly generated by google's domains (yyz08s13-in-f12.1e100.net) and other "reputable" sites

(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
Generally generated by tvmaze.com

(spp_sip) Maximum dialogs within a session reached
100% generated by my ISP's VOIP server

ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)
Generated by Tumblr and other social media sites

Searching the web didnt help so much, most of the documentation is incomplete or doesnt have real life practical applications and the only source I could find is the snort's website which doesnt help spo much.  For example searching for Sid 140.27:

Sid 140-27

Summary
This event is generated when the SIP preprocessor detects anomalous network traffic.

Impact
Unknown. This is an indication of anomalous behaviour between networked assets.

Detailed Information
This event is generated when the SIP preprocessor detects anomalous network traffic.
The number of dialogs in the stream session exceeds the maximal value.
This event can be controlled using the ((SIP)) configuration options.

Affected Systems
All systems using the SIP protocol

Attack Scenarios
Nothing here…

Ease of Attack
Simple.

False Positives
None known.

False Negatives
None known.

Corrective Action
Nothing here...

Basically after a few hours after having emptied the blocked list in Snort, almost the entirety of the web is blocked because there are hundreds of alarms generated by Snort and it blocks everything...  I need to either disable those rules or understand them and modify my rulesets accordingly.

For the other alarms I can deal with for now as I have a good grasp on their meaning...
I hope someone can shed light on those ambiguous alarms...
Thanks!

fsansfil

Well the short answer would be; disable those rules.

The long answer is why your ruleset vendor, Snort or ET, would keep useless rules, when every week they do disable and delete rules..? The 4 rules you mentioned are indeed indication of anomalous behaviour, but some of us prefer to disable those rules because they can be noisy in our environement.

Can I trust the sites generating these alarms even if Snort detects problems with them?

Disabling those 4 rules doesnt mean you would trust those sites, it just mean that you disable 4 rules. Those sites are still being inspected with all the other rules so if ET WEB_CLIENT Possible HTTP 404 XSS Attempt is sending you to an Angler or Nuclear landing page, yould get at least another 4-5 rules triggering…

F.

pftdm007

Good to know!

I have disabled those rules for now but I feel there is still some cleanup to do before I get snort running smoothly and not act crazy on every bit that comes & go from my LAN.

Another think for people micromanaging the rules:  we can remove "Enable/Disable" changes in the current Category, remove all Enable/Disable changes in all Categories (good if you want to return to the stock ruleset), disable all rules in the current Category, enable all rules in the current Category (those two are good to enable/disable all rules quickly), but there is a missing filter to display only specific sets of rules, for example all rules that were manually disabled or enabled, all rules currently disabled or enabled, etc… and a filter to search rules by SID would be great as well... especially during a fatal error..