Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to suppress INVALID CONTENT-LENGTH OR CHUNK SIZE

    Scheduled Pinned Locked Moved
    IDS/IPS
    2
    5
    6.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      battles
      last edited by

      I am constantly getting these in Snort Alerts.  Is it ok to suppress these for my ISP's address?  What is the code to supress this kind of http_inspect?

      WAN Jul 09 06:45:39 my.isp.my.isp:8644    (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
                                            62.119.66.46:80

      I think that it should be something like:
      suppress gen_id 120, sig_id 2, track by_src, ip my.isp.my.isp

      Thanks

      pfSense 2.3.4-RELEASE-p1 (i386)
      FreeBSD 10.3-RELEASE-p19
      pfBlockerNG 2.1.2_1
      Snort Security 3.2.9.5_3
      Intel(R) Atom(TM) CPU N270 @ 1.60GHz

      1 Reply Last reply Reply Quote 0
      • B
        battles
        last edited by

        Finally figured this out: Service / Snort / Alerts / click + next to rule to suppress.

        pfSense 2.3.4-RELEASE-p1 (i386)
        FreeBSD 10.3-RELEASE-p19
        pfBlockerNG 2.1.2_1
        Snort Security 3.2.9.5_3
        Intel(R) Atom(TM) CPU N270 @ 1.60GHz

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          @battles:

          Finally figured this out: Service / Snort / Alerts / click + next to rule to suppress.

          Yuo got it.  You can also just completely disable that rule.  I think a lot of folks disable quite a number of the HTTP_INSEPCT preprocessor rules as they tend to alert on just about every tiny infraction of RFC specs.  To disable a rule on the ALERTS tab, click the red X icon located beside the GID:SID.

          Bill

          1 Reply Last reply Reply Quote 0
          • B
            battles
            last edited by

            Thanks.  I was trying to individually suppress a rule for my isp address in Services / Snort / Alerts, and upon clicking the + button, I got this error:

            The following input errors were detected:
            Suppress List 'wansuppress_57828044c1f52' is defined for this interface, but it could not be found!

            Wonder what this is about?

            pfSense 2.3.4-RELEASE-p1 (i386)
            FreeBSD 10.3-RELEASE-p19
            pfBlockerNG 2.1.2_1
            Snort Security 3.2.9.5_3
            Intel(R) Atom(TM) CPU N270 @ 1.60GHz

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              @battles:

              Thanks.  I was trying to individually suppress a rule for my isp address in Services / Snort / Alerts, and upon clicking the + button, I got this error:

              The following input errors were detected:
              Suppress List 'wansuppress_57828044c1f52' is defined for this interface, but it could not be found!

              Wonder what this is about?

              Maybe a previously created/assigned suppress list that was later deleted.  Go to the INTERFACE SETTINGS tab for the Snort interface and set the SUPPRESS LIST to "default" and save the change.  Now go back to the ALERTS tab and try the suppress action again.  When you click the suppress icon on the ALERTS tab, it will auto-create a Suppress List file for the interface and assign it if one does not already exist.  If one is defined in the config.xml, then it will use that one instead.  In your case, one was defined in the config.xml for the interface but the actual content was not in the config.xml file.  This usually means the old list was deleted.

              Bill

              1 Reply Last reply Reply Quote 0
              • First post
                Last post