Re: Few questions from a new Snort user

[Marcin Dulak via Snort-users <snort-users () lists snort org>]

On Sat, Sep 2, 2017 at 11:56 PM, Matt Rogghe via Snort-users <
snort-users () lists snort org> wrote:

> Snort “for home” (paid) running on Pfsense.  Works amazingly well.  Now
> I’m trying to understand all the ins and outs of alerting, syslog, various
> rules and settings.  I’ve spent a good chunk of the day reading and
> configuring and testing.  There are a couple of questions I have I couldn’t
> answer, at least answer simply, in my travels…
>
> 1) One of the biggest wants I have is to automatically block known
> malicious domains and IPs using lists like at SANS and others.
> https://isc.sans.edu/suspicious_domains.html
> I *think* Snort VRT rules do at least some of that, though I’m having
> difficulty at this early/noob stage parsing all the Snort rules.  I did
> enable the Emerging Threats rules for this type of traffic.  Is that the
> best/recommended way to go?

there are some documents describing how to use snort reputation
preprocessor in pfsense, and this link explains the basic on a "real" snort
instance
http://sublimerobots.com/2015/12/the-snort-reputation-preprocessor/


> 2) On the topic of Emerging Threats, I read a whole host of conflicting
> information about it’s value and overlap with standard/VRT (the paid
> version) Snort rules.  I have only enabled a small sub-selection of the
> Emerging Threats categories as I test and get comfortable with it.  Is
> there in fact a good amount of overlap?  Perfectly fine and/or recommended
> to use the two together?
>
> 3) Is there a simple explanation someplace of the alerts that Snort
> throws?  Example I parsed through today:
> (http_inspect) MULTIPLE HOST HDRS DETECTED
> Going all the way back to the HTTP specification, appears multiple host
> headers (multiple any headers really) are allowed, though of course this
> situation doesn't make a lot of sense.  Is this a general rule of thumb
> that “yeah sure allowed by spec, but us network admins know from experience
> it’s only ever used in attacks” ?  Any good collection of accumulated
> wisdom on this type of thing out there?
> Interestingly, the traffic being alerted/blocked here is coming from an
> internal DirectTV device (properly VLAN’d off) out to the internets.
> Suppose I should send them a nasty gram.

read about "multiple host headers" in google and decide whether to disable
this gid/sid
http://blog.snort.org/2011/09/snort-291-http-and-smtp-logging.html
https://www.snort.org/faq/readme-http_inspect

Marcin


> Thanks folks.  Inner geek is very happy today with increased security :)



> _______________________________________________
> Snort-users mailing list
> Snort-users () lists snort org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!