• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Can not disable http_inspect rule.

Scheduled Pinned Locked Moved pfSense Packages
6 Posts 2 Posters 1.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    Peglas
    last edited by Jun 14, 2019, 10:58 AM

    Hi

    After upgrading Snort to latest version (3.2.9.8_6) i have some trouble with disabling http_inspect rules.
    I have three rules that generates false alarms and i try to disable them by clicking on the red X next to the rule in the alert list (which have worked earlier), then the rule continues to block ip-adresses but instead of the red X beside the rule name there is a white X inside a yellow dot (that indicates that the rule is disabled).

    I have tried to restart Snort and restarted the firewall without success, is there anyone with a clever idea how to sort this out?

    The rules i try to disable is:
    120:3 (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
    119:2 (http_inspect) DOUBLE DECODING ATTACK
    120:18 (http_inspect) PROTOCOL-OTHER HTTP server response before client request

    I do not want to disable the whole http_inspect function.

    Regards Peter G.

    1 Reply Last reply Reply Quote 0
    • N
      NogBadTheBad
      last edited by NogBadTheBad Jun 14, 2019, 11:16 AM Jun 14, 2019, 11:16 AM

      Services -> Snort -> Rules -> INTERFACE

      Click the INRERFACE Rules TAB,

      Select preprocessor.rules as the Category Selection.

      Scroll down to 120:3 and click on it.

      Click the Disabled radio button.

      Screenshot 2019-06-14 at 12.16.23.png

      Andy

      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

      P 1 Reply Last reply Jun 14, 2019, 11:21 AM Reply Quote 0
      • P
        Peglas @NogBadTheBad
        last edited by Jun 14, 2019, 11:21 AM

        @NogBadTheBad

        Thanks for a fast reply.

        When i tried that i got the following errormessage:
        The following input errors were detected:

        preprocessor.rules seems to be missing!!! Please verify rules files have been downloaded, then go to the Categories tab and save the rule set again.
        

        The rules works even when the file is missing, strange...

        N 1 Reply Last reply Jun 14, 2019, 11:26 AM Reply Quote 0
        • N
          NogBadTheBad @Peglas
          last edited by Jun 14, 2019, 11:26 AM

          @Peglas

          Tried a re-install of snort.

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          1 Reply Last reply Reply Quote 1
          • P
            Peglas
            last edited by Jun 14, 2019, 11:56 AM

            Reinstall Snort did not solve the problem, but a remove Snort, restart pfSense and install Snort again did.

            Thanks for your effort.

            N 1 Reply Last reply Jun 14, 2019, 12:11 PM Reply Quote 0
            • N
              NogBadTheBad @Peglas
              last edited by Jun 14, 2019, 12:11 PM

              @Peglas

              Your welcome ☺

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received