HTTP inspect false alerts



  • Hi

    I'm pretty new to Snort. It works well however I'm getting a lot of blocked IPs in relation to the following message :-

    (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

    … or similar HTTP_INSPECT messages. I know these are false and/or harmless messages as it will kill the majority of my Internet access when Snort decides to block. One of the main issues is that it is blocking one of my ISPs routers.

    I'm finding it tricky to interpret the blocking reason and then finding the rule to disable it. I thought maybe each entry may have an option to disable to rule or to allow the blocked IP from now onwards?

    I've had to disable blocking now as the missus is getting annoyed with Snort :)

    Cheers,


Log in to reply