[Snort-users] Few questions from a new Snort user

Matt Rogghe mrogghe at gmail.com
Sat Sep 2 17:56:43 EDT 2017


Snort “for home” (paid) running on Pfsense.  Works amazingly well.  Now I’m trying to understand all the ins and outs of alerting, syslog, various rules and settings.  I’ve spent a good chunk of the day reading and configuring and testing.  There are a couple of questions I have I couldn’t answer, at least answer simply, in my travels…

1) One of the biggest wants I have is to automatically block known malicious domains and IPs using lists like at SANS and others.
https://isc.sans.edu/suspicious_domains.html <https://isc.sans.edu/suspicious_domains.html>
I *think* Snort VRT rules do at least some of that, though I’m having difficulty at this early/noob stage parsing all the Snort rules.  I did enable the Emerging Threats rules for this type of traffic.  Is that the best/recommended way to go?

2) On the topic of Emerging Threats, I read a whole host of conflicting information about it’s value and overlap with standard/VRT (the paid version) Snort rules.  I have only enabled a small sub-selection of the Emerging Threats categories as I test and get comfortable with it.  Is there in fact a good amount of overlap?  Perfectly fine and/or recommended to use the two together?

3) Is there a simple explanation someplace of the alerts that Snort throws?  Example I parsed through today:
(http_inspect) MULTIPLE HOST HDRS DETECTED
Going all the way back to the HTTP specification, appears multiple host headers (multiple any headers really) are allowed, though of course this situation doesn't make a lot of sense.  Is this a general rule of thumb that “yeah sure allowed by spec, but us network admins know from experience it’s only ever used in attacks” ?  Any good collection of accumulated wisdom on this type of thing out there?
Interestingly, the traffic being alerted/blocked here is coming from an internal DirectTV device (properly VLAN’d off) out to the internets.  Suppose I should send them a nasty gram.

Thanks folks.  Inner geek is very happy today with increased security :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170902/7927b769/attachment.html>


More information about the Snort-users mailing list