Can not disable http_inspect rule.
-
Hi
After upgrading Snort to latest version (3.2.9.8_6) i have some trouble with disabling http_inspect rules.
I have three rules that generates false alarms and i try to disable them by clicking on the red X next to the rule in the alert list (which have worked earlier), then the rule continues to block ip-adresses but instead of the red X beside the rule name there is a white X inside a yellow dot (that indicates that the rule is disabled).I have tried to restart Snort and restarted the firewall without success, is there anyone with a clever idea how to sort this out?
The rules i try to disable is:
120:3 (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
119:2 (http_inspect) DOUBLE DECODING ATTACK
120:18 (http_inspect) PROTOCOL-OTHER HTTP server response before client requestI do not want to disable the whole http_inspect function.
Regards Peter G.
-
Services -> Snort -> Rules -> INTERFACE
Click the INRERFACE Rules TAB,
Select preprocessor.rules as the Category Selection.
Scroll down to 120:3 and click on it.
Click the Disabled radio button.
-
Thanks for a fast reply.
When i tried that i got the following errormessage:
The following input errors were detected:preprocessor.rules seems to be missing!!! Please verify rules files have been downloaded, then go to the Categories tab and save the rule set again.The rules works even when the file is missing, strange...
-
Tried a re-install of snort.
-
Reinstall Snort did not solve the problem, but a remove Snort, restart pfSense and install Snort again did.
Thanks for your effort.
-
Your welcome
