Re: Few questions from a new Snort user

[Alberto Colosi via Snort-users <snort-users () lists snort org>]

If I'm right u haven't an ITC Security knowledge and/or experience.

Yes FireWalls , IDS/IPS are "nice" but in the end if you don't know


- TCP/IP , troubleshouting TCP/IP (like ping work but not HTTPS in a router scenario).

- Vulnerabilities

- TCP/IP ports, services and so on

- knowledge at least of main RFC like FTP HTTP HTTPS POP3 IMAP SMTP ....

- SMTP and POP3 and FTP statement

- difference with ftp ftps sftp

- and so on


I think that are "right" the questions you done here. Suspicius domains are IP and domains , CIDR where is commonly 
detected suspicious activities. Each "ban" should be commented and you could be able to read it.


As last, IDS/IPS , FireWalls and more are not only used to "protect" and or to intercept malicious activities but can 
and are widely used even to control, monitor, shape and more more more (zombie hosts, malware, ...).


Was I good understanding your "doubts" about allertings?. Some Are even for fun like ICMP echo request and reply (if 
activated). In the end don't mean a lot in security but are informations. As last (again) take a look and unneded 
messages, supress on snort conf and see log increasing rate to not get ZERO BYTED.



ITC NetWork & Security Architect and Engineer



________________________________
From: Snort-users <snort-users-bounces () lists snort org> on behalf of Matt Rogghe via Snort-users <snort-users () 
lists snort org>
Sent: Saturday, September 2, 2017 11:56 PM
To: snort-users () lists snort org
Subject: [Snort-users] Few questions from a new Snort user

Snort “for home” (paid) running on Pfsense.  Works amazingly well.  Now I’m trying to understand all the ins and outs 
of alerting, syslog, various rules and settings.  I’ve spent a good chunk of the day reading and configuring and 
testing.  There are a couple of questions I have I couldn’t answer, at least answer simply, in my travels…

1) One of the biggest wants I have is to automatically block known malicious domains and IPs using lists like at SANS 
and others.
https://isc.sans.edu/suspicious_domains.html
[https://isc.sans.edu/images/logos/isc/large.png]<https://isc.sans.edu/suspicious_domains.html>

Suspicious Domains - SANS Internet Storm Center<https://isc.sans.edu/suspicious_domains.html>
isc.sans.edu
Background. There are many suspicious domains on the internet. In an effort to identify them, as well as false 
positives, we have assembled weighted lists based ...

I *think* Snort VRT rules do at least some of that, though I’m having difficulty at this early/noob stage parsing all 
the Snort rules.  I did enable the Emerging Threats rules for this type of traffic.  Is that the best/recommended way 
to go?

2) On the topic of Emerging Threats, I read a whole host of conflicting information about it’s value and overlap with 
standard/VRT (the paid version) Snort rules.  I have only enabled a small sub-selection of the Emerging Threats 
categories as I test and get comfortable with it.  Is there in fact a good amount of overlap?  Perfectly fine and/or 
recommended to use the two together?

3) Is there a simple explanation someplace of the alerts that Snort throws?  Example I parsed through today:
(http_inspect) MULTIPLE HOST HDRS DETECTED
Going all the way back to the HTTP specification, appears multiple host headers (multiple any headers really) are 
allowed, though of course this situation doesn't make a lot of sense.  Is this a general rule of thumb that “yeah sure 
allowed by spec, but us network admins know from experience it’s only ever used in attacks” ?  Any good collection of 
accumulated wisdom on this type of thing out there?
Interestingly, the traffic being alerted/blocked here is coming from an internal DirectTV device (properly VLAN’d off) 
out to the internets.  Suppose I should send them a nasty gram.

Thanks folks.  Inner geek is very happy today with increased security :)

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!