Question about snort - help
-
snort running in my computer
But there are sites that it blocks access to themIs there a place to enroll site
That snort does not blockI tried to insert the name of website in the tab of white list
But without success
Then I realized that you first add the site name
in the tab "aliases"
I wrote down the name of the site name and its IP
But it is still blockedI guess I'm doing something wrong
I just do not know whatHow do I prevent from snort to block me certain sites
In short I got into trouble with it
-
Snort blocks sites based on some logic. If you did not follow the proper set up instructions, of course it will block every site it comes across (simple html request). Please see:
http://forum.pfsense.org/index.php/topic,61018.0.html
http://forum.pfsense.org/index.php/topic,64674.0.html
http://forum.pfsense.org/index.php/topic,56267.0.htmland read ALL posts in those topics before proceeding with setting up snort.
-
It's a day's work
If there is a problem
Is there a way to return to the previous state without having to go one by oneI understood the intent
Instead snort check the browsing and will cancel the block {suppress List}He does not check at all
But for 10 or 20 sites
Is it worth all the workI now want to try the suppress List
I do not have a lot of sites have a problem with them
Barely sixHow do I know which law follow what site
I get the list of blocked
I see only ip
I do not see the name of the site -
It's a day's work
If there is a problem
Is there a way to return to the previous state without having to go one by oneI understood the intent
Instead snort check the browsing and will cancel the block {suppress List}He does not check at all
But for 10 or 20 sites
Is it worth all the workI now want to try the suppress List
I do not have a lot of sites have a problem with them
Barely sixHow do I know which law follow what site
I get the list of blocked
I see only ip
I do not see the name of the siteMore than likely it is the HTTP_INSPECT preprocessor that is causing you issues. It can be overly aggressive. I saw some traffic on the Snort-Developer mailing list over the weekend discussing some bugs in the behavior of this preprocessor. The Snort developers said some improvements were in the works for a later Snort binary release.
In the meantime, look in the ALERTS tab of Snort and you will probably see some alerts from the HTTP_INSPECT preprocessor. These will have the words (http_inspect) under the Description column. In the SID column will be a number pair such as 120:8. This is the code for Generator ID and Signature ID. In this example, the alert is coming from Generator ID 120 (which is the HTTP_INSPECT preprocessor) and the specific alert is from Signature ID 8. Underneath the number pair will be a plus icon (+). Clicking that icon will automatically add that SID to the Suppress List for the interface. Once on the Suppress List, that alert will not cause any further blocks.
As for IP addresses, a lookup icon is coming in the next Snort package version, but for most high-traffic web sites this is not generally too useful because they have a number of individual IP addresses behind a load-balancer system. For example, do a nslookup on "yahoo.com" and you will see a number of IP addresses returned. So for any given session, your browser could connect to any one of those IP addresses.
Bill
-
As for IP addresses, a lookup icon is coming in the next Snort package version, but for most high-traffic web sites this is not generally too useful because they have a number of individual IP addresses behind a load-balancer system. For example, do a nslookup on "yahoo.com" and you will see a number of IP addresses returned. So for any given session, your browser could connect to any one of those IP addresses.
Bill
I guess that's what I will be able to use the tab of aliases
Or I did not understand well -
I guess that's what I will be able to use the tab of aliases
Or I did not understand wellAliases in the Whitelist are still a bit in the future (if ever). There are lots of issues to iron out in order to pull that off. I was simply talking about the ability on the ALERTS or BLOCKED tabs of being able to click an icon and perform a reverse DNS lookup on the displayed IP address. This is more of a convenience some other users asked for.
Bill
-
I know what you mean
I just thought I'd do it in a warped {Around it}
Because the correct path a bit complicated
Or rather a lot of time workingin thr alerts tab
There is a list of sites that snort alerts from themNear the each alert there are a plus sign + adds the alert to suppression
The problem I do not know what is real and what alerts are falseHow do I know?
Otherwise it was simple
Add all there to suppression listHow can you add more files with high weight in a single message
-
Another image
-
Another image