Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Few questions from a new Snort user

From: Matt Rogghe via Snort-users <snort-users () lists snort org>
Date: Sat, 2 Sep 2017 17:56:43 -0400
Snort “for home” (paid) running on Pfsense.  Works amazingly well.  Now I’m trying to understand all the ins and outs 
of alerting, syslog, various rules and settings.  I’ve spent a good chunk of the day reading and configuring and 
testing.  There are a couple of questions I have I couldn’t answer, at least answer simply, in my travels…

1) One of the biggest wants I have is to automatically block known malicious domains and IPs using lists like at SANS 
and others.
https://isc.sans.edu/suspicious_domains.html <https://isc.sans.edu/suspicious_domains.html>
I *think* Snort VRT rules do at least some of that, though I’m having difficulty at this early/noob stage parsing all 
the Snort rules.  I did enable the Emerging Threats rules for this type of traffic.  Is that the best/recommended way 
to go?

2) On the topic of Emerging Threats, I read a whole host of conflicting information about it’s value and overlap with 
standard/VRT (the paid version) Snort rules.  I have only enabled a small sub-selection of the Emerging Threats 
categories as I test and get comfortable with it.  Is there in fact a good amount of overlap?  Perfectly fine and/or 
recommended to use the two together?

3) Is there a simple explanation someplace of the alerts that Snort throws?  Example I parsed through today:
(http_inspect) MULTIPLE HOST HDRS DETECTED
Going all the way back to the HTTP specification, appears multiple host headers (multiple any headers really) are 
allowed, though of course this situation doesn't make a lot of sense.  Is this a general rule of thumb that “yeah sure 
allowed by spec, but us network admins know from experience it’s only ever used in attacks” ?  Any good collection of 
accumulated wisdom on this type of thing out there?
Interestingly, the traffic being alerted/blocked here is coming from an internal DirectTV device (properly VLAN’d off) 
out to the internets.  Suppose I should send them a nasty gram.

Thanks folks.  Inner geek is very happy today with increased security :)
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: