Snort mailing list archives
Few questions from a new Snort user
From: Matt Rogghe via Snort-users <snort-users () lists snort org>
Date: Sat, 2 Sep 2017 17:56:43 -0400
Snort “for home” (paid) running on Pfsense. Works amazingly well. Now I’m trying to understand all the ins and outs of alerting, syslog, various rules and settings. I’ve spent a good chunk of the day reading and configuring and testing. There are a couple of questions I have I couldn’t answer, at least answer simply, in my travels… 1) One of the biggest wants I have is to automatically block known malicious domains and IPs using lists like at SANS and others. https://isc.sans.edu/suspicious_domains.html <https://isc.sans.edu/suspicious_domains.html> I *think* Snort VRT rules do at least some of that, though I’m having difficulty at this early/noob stage parsing all the Snort rules. I did enable the Emerging Threats rules for this type of traffic. Is that the best/recommended way to go? 2) On the topic of Emerging Threats, I read a whole host of conflicting information about it’s value and overlap with standard/VRT (the paid version) Snort rules. I have only enabled a small sub-selection of the Emerging Threats categories as I test and get comfortable with it. Is there in fact a good amount of overlap? Perfectly fine and/or recommended to use the two together? 3) Is there a simple explanation someplace of the alerts that Snort throws? Example I parsed through today: (http_inspect) MULTIPLE HOST HDRS DETECTED Going all the way back to the HTTP specification, appears multiple host headers (multiple any headers really) are allowed, though of course this situation doesn't make a lot of sense. Is this a general rule of thumb that “yeah sure allowed by spec, but us network admins know from experience it’s only ever used in attacks” ? Any good collection of accumulated wisdom on this type of thing out there? Interestingly, the traffic being alerted/blocked here is coming from an internal DirectTV device (properly VLAN’d off) out to the internets. Suppose I should send them a nasty gram. Thanks folks. Inner geek is very happy today with increased security :)
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Few questions from a new Snort user Matt Rogghe via Snort-users (Sep 02)
- Re: Few questions from a new Snort user Alberto Colosi via Snort-users (Sep 02)
- Re: Few questions from a new Snort user Marcin Dulak via Snort-users (Sep 03)