Disabling (http_inspect) snort alerts
-
Hello,
Disabling (http_inspect) snort alerts, as per the third option in this post (unchecking the “Use HTTP Inspect to Normalize/Decode and detect HTTP traffic and protocol anomalies” option on the Preprocs tab): https://forum.pfsense.org/index.php?topic=62605.msg338107#msg338107
Creates the issue described, in the following post.
https://forum.pfsense.org/index.php?topic=31597.0(Error message “FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_28491_igb3/rules/snort.rules(427) Please enable the HTTP Inspect preprocessor before using the http content modifiers”)
Is there some other configuration option I am missing to make disabling HTTP_INSPECT alerts work?
Thank you
-
@G.D.:
Is there some other configuration option I am missing to make disabling HTTP_INSPECT alerts work?
From the following link, there are some recommendations to add some suppress actions to certain Sids leaving the HTTP_Pre-processer enabled.
https://forum.pfsense.org/index.php?topic=64674.90
You should review them before applying. But generally they are ok to suppress.
Here are the suppressions that I am using:
#(http_inspect) SIMPLE REQUEST
suppress gen_id 119, sig_id 32
#(http_inspect) UNKNOWN METHOD
suppress gen_id 119, sig_id 31
#(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
suppress gen_id 120, sig_id 8
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 3
#(http_inspect) DOUBLE DECODING ATTACK
suppress gen_id 119, sig_id 2
#(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
suppress gen_id 120, sig_id 6
#(http_inspect) IIS UNICODE CODEPOINT ENCODING
suppress gen_id 119, sig_id 7
#(http_inspect) BARE BYTE UNICODE ENCODING
suppress gen_id 119, sig_id 4
#(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
suppress gen_id 120, sig_id 9
#(http_inspect) JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED
suppress gen_id 120, sig_id 10
#(http_inspect) UNESCAPED SPACE IN HTTP URI
suppress gen_id 119, sig_id 33
#(http_inspect) U ENCODING
suppress gen_id 119, sig_id 3Or find the rule #427 /usr/pbi/snort-amd64/etc/snort/snort_28491_igb3/rules/snort.rules(427) and disable this rule as it depends on the HTTP_Preprocessor. There may be others.
The link below has details on how to do that.
https://forum.pfsense.org/index.php?topic=74930.msg410285#msg410285When the HTTP_Pre-Processor is disabled, I don't think that Snort can Automatically Disable rules that are "Enabled" and require the HTTP_Processor to be Enabled.