Can not disable http_inspect rule.



  • Hi

    After upgrading Snort to latest version (3.2.9.8_6) i have some trouble with disabling http_inspect rules.
    I have three rules that generates false alarms and i try to disable them by clicking on the red X next to the rule in the alert list (which have worked earlier), then the rule continues to block ip-adresses but instead of the red X beside the rule name there is a white X inside a yellow dot (that indicates that the rule is disabled).

    I have tried to restart Snort and restarted the firewall without success, is there anyone with a clever idea how to sort this out?

    The rules i try to disable is:
    120:3 (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
    119:2 (http_inspect) DOUBLE DECODING ATTACK
    120:18 (http_inspect) PROTOCOL-OTHER HTTP server response before client request

    I do not want to disable the whole http_inspect function.

    Regards Peter G.



  • Services -> Snort -> Rules -> INTERFACE

    Click the INRERFACE Rules TAB,

    Select preprocessor.rules as the Category Selection.

    Scroll down to 120:3 and click on it.

    Click the Disabled radio button.

    Screenshot 2019-06-14 at 12.16.23.png



  • @NogBadTheBad

    Thanks for a fast reply.

    When i tried that i got the following errormessage:
    The following input errors were detected:

    preprocessor.rules seems to be missing!!! Please verify rules files have been downloaded, then go to the Categories tab and save the rule set again.
    

    The rules works even when the file is missing, strange...



  • @Peglas

    Tried a re-install of snort.



  • Reinstall Snort did not solve the problem, but a remove Snort, restart pfSense and install Snort again did.

    Thanks for your effort.



  • @Peglas

    Your welcome ☺


Log in to reply