[Snort-users] Few questions from a new Snort user

Alberto Colosi alcol at hotmail.com
Sat Sep 2 18:47:38 EDT 2017

If I'm right u haven't an ITC Security knowledge and/or experience.

Yes FireWalls , IDS/IPS are "nice" but in the end if you don't know

- TCP/IP , troubleshouting TCP/IP (like ping work but not HTTPS in a router scenario).

- Vulnerabilities

- TCP/IP ports, services and so on

- knowledge at least of main RFC like FTP HTTP HTTPS POP3 IMAP SMTP ....

- SMTP and POP3 and FTP statement

- difference with ftp ftps sftp

- and so on

I think that are "right" the questions you done here. Suspicius domains are IP and domains , CIDR where is commonly detected suspicious activities. Each "ban" should be commented and you could be able to read it.

As last, IDS/IPS , FireWalls and more are not only used to "protect" and or to intercept malicious activities but can and are widely used even to control, monitor, shape and more more more (zombie hosts, malware, ...).

Was I good understanding your "doubts" about allertings?. Some Are even for fun like ICMP echo request and reply (if activated). In the end don't mean a lot in security but are informations. As last (again) take a look and unneded messages, supress on snort conf and see log increasing rate to not get ZERO BYTED.

ITC NetWork & Security Architect and Engineer

From: Snort-users <snort-users-bounces at lists.snort.org> on behalf of Matt Rogghe via Snort-users <snort-users at lists.snort.org>
Sent: Saturday, September 2, 2017 11:56 PM
To: snort-users at lists.snort.org
Subject: [Snort-users] Few questions from a new Snort user

Snort “for home” (paid) running on Pfsense.  Works amazingly well.  Now I’m trying to understand all the ins and outs of alerting, syslog, various rules and settings.  I’ve spent a good chunk of the day reading and configuring and testing.  There are a couple of questions I have I couldn’t answer, at least answer simply, in my travels…

1) One of the biggest wants I have is to automatically block known malicious domains and IPs using lists like at SANS and others.

Suspicious Domains - SANS Internet Storm Center<https://isc.sans.edu/suspicious_domains.html>
Background. There are many suspicious domains on the internet. In an effort to identify them, as well as false positives, we have assembled weighted lists based ...

I *think* Snort VRT rules do at least some of that, though I’m having difficulty at this early/noob stage parsing all the Snort rules.  I did enable the Emerging Threats rules for this type of traffic.  Is that the best/recommended way to go?

2) On the topic of Emerging Threats, I read a whole host of conflicting information about it’s value and overlap with standard/VRT (the paid version) Snort rules.  I have only enabled a small sub-selection of the Emerging Threats categories as I test and get comfortable with it.  Is there in fact a good amount of overlap?  Perfectly fine and/or recommended to use the two together?

3) Is there a simple explanation someplace of the alerts that Snort throws?  Example I parsed through today:
Going all the way back to the HTTP specification, appears multiple host headers (multiple any headers really) are allowed, though of course this situation doesn't make a lot of sense.  Is this a general rule of thumb that “yeah sure allowed by spec, but us network admins know from experience it’s only ever used in attacks” ?  Any good collection of accumulated wisdom on this type of thing out there?
Interestingly, the traffic being alerted/blocked here is coming from an internal DirectTV device (properly VLAN’d off) out to the internets.  Suppose I should send them a nasty gram.

Thanks folks.  Inner geek is very happy today with increased security :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170902/a1ddc0e2/attachment.html>

More information about the Snort-users mailing list