Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HTTP inspect false alerts

    Scheduled Pinned Locked Moved IDS/IPS
    1 Posts 1 Posters 458 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      djmattc
      last edited by

      Hi

      I'm pretty new to Snort. It works well however I'm getting a lot of blocked IPs in relation to the following message :-

      (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

      … or similar HTTP_INSPECT messages. I know these are false and/or harmless messages as it will kill the majority of my Internet access when Snort decides to block. One of the main issues is that it is blocking one of my ISPs routers.

      I'm finding it tricky to interpret the blocking reason and then finding the rule to disable it. I thought maybe each entry may have an option to disable to rule or to allow the blocked IP from now onwards?

      I've had to disable blocking now as the missus is getting annoyed with Snort :)

      Cheers,

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.