• Hello all new to all this but I installed snort got my oink code...things are running right? How-ever now I don't know what should or should not be blocked I see alerts one of which is ((http_inspect no content-length or transfer-encoding in http response) Don't know if this is an issue and if so how do I block it. I did not set up to block anything because I am sadly ignorant as to what I should block...can anyone help me?

  • Your best bet is to look at what devices are triggering rules, don't enable blocking to start off with just alert then suck the alerts into a spreadsheet and look at the stats.

    They are disabled here:-

    Screenshot 2020-01-25 at 08.15.15.png

    FWIW I've disabled these:-




  • Hmmm I must have done something wrong in my setup...I a running this on my Wan side yours appears to be on your lan side.

  • I run it on both.

    If you have a host on your LAN causing issues you actually see the ip address of the host rather than the WAN ip address post nat.

  • Thanks I see...I actually have it running on my WAN side not my LAN. I'll set it up on my LAN side. Currently have the IPS policy set to security on the WAN side and just turned on blocking to see if it actually breaks my network. Don't think it's the best way to go about this but then I can open things up as they pop up.

Log in to reply