Noob Asking Help - Snort

Hi everyone.
Im a software developper but i had never explored the networking side untill recently. I have created myself a PFSense Box with an HP T610 thin client. I have configuered everything thanks to the Lawrence Systems videos on facebook.

I have installed Snort due to it beeing more user friendly instead of suricata and to save time on setting up.

Again everything is working fine. So far i got almost no False positive exept for one exeption. Snort keeps on blocking YouTube.

I have found exactly which rule blocks it. However i cant just simply add the blocked IP to the suppress list since it ends up beeing blocked again after about 5minutes from another IP. Im guessing its the Adds that probably come from a different IP and creates the block. I had about 10 IP in the suppress list before i decided to come here.

All IP’s get blocked due to the " (portscan) UDP Filtered Portscan" rule but i want to know if theres an alternative then either removing the rule or spending weeks suppressing tons of IP’s

Tuning rules is all part of the fun of running an IDS system, I cover rules in this video https://youtu.be/S0-vsjhPDN0

Awsome. Thanks a bunch Tom. I had watched part of that video But after you mentionning the lengthy process to fine tune Suricata, i stopped and went with Snort instead. I guess i was a bit lazy.

Ill give it another watch. A big thanks for the help.

:slight_smile:

The process is just as long with Snort.