Disable Snort rule

moelharrak

Hi all,
I need to find the rule that cause issue and remove it for all.
what I share with you is an alert picked from the snort log.
I know that I need to remove the IP from the blocked hosts but this is not the solution , I can't each time the IP blocked go and remove it.I need to find the rule and disabled

bmeeks

@moelharrak said in Disable Snort rule:

Hi all,
I need to find the rule that cause issue and remove it for all.
what I share with you is an alert picked from the snort log.
I know that I need to remove the IP from the blocked hosts but this is not the solution , I can't each time the IP blocked go and remove it.I need to find the rule and disabled

It is very simple to find the alerting rule that is causing the problem. Look for the IP address of your IPTV device in the alerts. If you don't see the IP of your IPTV, then Snort is not what is causing your problem. If your IPTV has IP address 1.2.3.4, then look through the ALERTS tab on Snort and find any and all rules where the SRC or DST IP is 1.2.3.4; that's likely your problem rule.

moelharrak

I do have a generated alert :
13:40:56 3 TCP Unknown Traffic x.x.x.x 37284 x.x.x.x 80 120:8 (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
My question now is how to find the rule that generate this alert and disabled completly

bmeeks

@moelharrak said in Disable Snort rule:

I do have a generated alert :
13:40:56 3 TCP Unknown Traffic x.x.x.x 37284 x.x.x.x 80 120:8 (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
My question now is how to find the rule that generate this alert and disabled completly

Hover your mouse over the red X under the SID column and you will have your answer ...

You can also tell from reading the text of the rule message. This rule is from the HTTP_INSPECT preprocessor. The GID is 120 for that preprocessor. The specific rule you listed is SID 8 (that's what the 120:8 represents in the rule). HTTP_INSPECT rules are part of the built-in Snort preprocessor rules. You can view those by going to the RULES tab and choosing Preprocessor Rules in the drop-down selector.

moelharrak

I've already done it ,it worked for other rules but not this one.even I see now that it's on yellow (mean rule disabled) but snort still block the server.
That why I asked where can I find this rule and disabled it completely.I looked for it using GID:SID (120:8) but can't find it.

bmeeks

@moelharrak said in Disable Snort rule:

I've already done it ,it worked for other rules but not this one.even I see now that it's on yellow (mean rule disabled) but snort still block the server.
That why I asked where can I find this rule and disabled it completely.I looked for it using GID:SID (120:8) but can't find it.

The only other issue you may have is dual instances of Snort running on the same interface. If that happens, one becomes a zombie sort of and ignores configuration changes. If other rule disables are working, though, then I would not think a zombie instance is your problem. Easy to fix that, though. Simply reboot pfSense. That will clear any zombie process.

There may be more than one rule blocking your server. Also, are you running any other packages such as pfBlockerNG? That package can block a lot of stuff as well and cause issues with streaming.

bmeeks

Use the Filter function on the ALERTS tab to find all alerts with your IPTV device IP address in them.

Put the IPTV address in one of the IP address boxes and filter your alerts on that IP to bring up all alerts that fired with that host. Any already disabled rules will have the yellow X under the SID column. Currently active rules will have a red X.

moelharrak

Nope I have no pfBlockerNG enabled.only pfsense enabled on WAN interface.
I didn't find Preprocessor Rules.
meanwhile I will reboot my pfsense and see the result

bmeeks

@moelharrak said in Disable Snort rule:

Nope I have no pfBlockerNG enabled.only pfsense enabled on WAN interface.
I didn't find Preprocessor Rules.
meanwhile I will reboot my pfsense and see the result

If you go to the RULES tab for your WAN interface, then you should be able to click the drop-down selector and choose the Preprocessor Rules from the list as shown below:

What version of the Snort package are you running? Is it 3.2.9.8_5?

moelharrak

I think the reboot solved the issue, still working for now.
will monitor it and return if there is something new.
Thank you for your help :)