[Snort-users] Few questions from a new Snort user
marcin.dulak at gmail.com
Sun Sep 3 05:20:47 EDT 2017
On Sat, Sep 2, 2017 at 11:56 PM, Matt Rogghe via Snort-users <
snort-users at lists.snort.org> wrote:
> Snort “for home” (paid) running on Pfsense. Works amazingly well. Now
> I’m trying to understand all the ins and outs of alerting, syslog, various
> rules and settings. I’ve spent a good chunk of the day reading and
> configuring and testing. There are a couple of questions I have I couldn’t
> answer, at least answer simply, in my travels…
> 1) One of the biggest wants I have is to automatically block known
> malicious domains and IPs using lists like at SANS and others.
> I *think* Snort VRT rules do at least some of that, though I’m having
> difficulty at this early/noob stage parsing all the Snort rules. I did
> enable the Emerging Threats rules for this type of traffic. Is that the
> best/recommended way to go?
there are some documents describing how to use snort reputation
preprocessor in pfsense, and this link explains the basic on a "real" snort
> 2) On the topic of Emerging Threats, I read a whole host of conflicting
> information about it’s value and overlap with standard/VRT (the paid
> version) Snort rules. I have only enabled a small sub-selection of the
> Emerging Threats categories as I test and get comfortable with it. Is
> there in fact a good amount of overlap? Perfectly fine and/or recommended
> to use the two together?
> 3) Is there a simple explanation someplace of the alerts that Snort
> throws? Example I parsed through today:
> (http_inspect) MULTIPLE HOST HDRS DETECTED
> Going all the way back to the HTTP specification, appears multiple host
> headers (multiple any headers really) are allowed, though of course this
> situation doesn't make a lot of sense. Is this a general rule of thumb
> that “yeah sure allowed by spec, but us network admins know from experience
> it’s only ever used in attacks” ? Any good collection of accumulated
> wisdom on this type of thing out there?
> Interestingly, the traffic being alerted/blocked here is coming from an
> internal DirectTV device (properly VLAN’d off) out to the internets.
> Suppose I should send them a nasty gram.
read about "multiple host headers" in google and decide whether to disable
> Thanks folks. Inner geek is very happy today with increased security :)
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users