Snort - How to ignore rules on specific ports
-
pfSense 2.0.1 Snort 2.8.6.1
I just setup Snort for the first time on my pfSense box. Works pretty good. I went through the FAQ and I'm getting alerts and blocked events. Now I need some help in fine tuning.
Issue #1
When viewing some Youtube videos I'm getting some alerts called "SHELLCODE x86 inc ebx NOOP"I looked up the info on SID: 1390 on Snort.org and it recommended ignoring shellcode rules on web ports. I'm not sure how to do this in the pfSense implementation of Snort. If somebody could guide me it would be much appreciated.
-
Hi, It's been a few months since this was last posted and I have the same problem. I hope a bump will draw renewed attention to this inquiry.
Thank, -
After rewatching http://www.youtube.com/watch?v=uQ7OrxtiAes I was able recreate a suppression rule for the false positive.