Rule Signature ID (SID) causing issues with Windows updates.
-
Hello fellow Netgate community members,
Can you help I can not find the Rule Signature ID (SID) for this Block to disable it, this rule is blocking all Windows updates all of the sudden.
This is the active rule for snort
(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE -- 2022-01-14 09:29:06
(Image: SNORT BLOCK (HTTP_INSPECT))
(Image: IP Addressed for Windows update blocked do to rule)
(Image: I can not find this SNORT rule under any active rule)
How can I disable this rule for windows updates??
(Image: Squidguard whitelisted URLS also)
This system is running proxy port 3128 with https 443, 80 disabled on the ACLs on the firewall forcing all traffic into the proxy and has WPAD enabled.
(Image: Proxy Ports in use)
This system I have also added URLS to an alias pass on the proxy.
(Alias)
(Added to Proxy)
(Added to Snort for passlist)
Reference:
-
Gental-Giant. (n.d.). Windows 10, version 1909, connection endpoints for non-enterprise editions - windows privacy. Windows Privacy | Microsoft Docs. Retrieved January 14, 2022, from https://docs.microsoft.com/en-us/windows/privacy/windows-endpoints-1909-non-enterprise-editions
Reference from Microsoft Docs for approved Windows URLS
-
When I search under active rules I can not find it, does anyone know its location? Or know a work around? My Passlists use to work up until a couple days ago.
-
Two things.
First, you should really be looking on the ALERTS tab when tracking down what rule or rules are firing. On that tab you will see the GID:SID for every rule that fired an alert. Alerts equal blocks when using legacy mode (unless the IP is on an active Pass List).
Second, the rule you have highlighted is an HTTP_INSPECT preprocessor rule. That means it is part of the built-in rules Snort uses to look for protocol anomalies. You will need to find the SID for the particular HTTP_INSPECT rule that fired. You can find that on the ALERTS tab. Sort the list there by IP and you should be able to find the triggered rule. Once you find it, there is an icon for disabling that rule, or adding it to a suppress list to suppress by source or destination IP. Hover your mouse over the icons on the ALERTS tab and a pop-up tooltip will appear describing what each icon does.
Last item I will mention is that when using IP lists for CDNs (content delivery networks), you are always likely to run into a situation where the CDN uses a new IP address that is not yet on the list you are downloading and using for your alias. That may be why your Pass List entry suddenly quit working.
-
Yes I also set the DNS resolve to faster speed that fixed the time out issue.
I found the location thanks
-
Thanks for the reply again.
I am still having a issue with the use of http downloads they do not connect on the linux apt-get update or on Windows. They are removed from the blocked list however they never show traffic. I have port 80 closed and all traffic is forced into the proxy, however the updates do not work, everything else works however. I did set up and have wpad working I can see it run on the proxy sometimes also under real time. But the system for http downloads for updates does not work. I can however download the update files directly they come in as windows cabinet files when I click the link, but they will not make it to my system from the proxy.
-
This is what happens the system shows checking for updates non stop it and if you look at the Squid Realtime it only shows 0 with a weird http.
-
@jonathanlee I even made a NAT from port 80 to 3128 to see if that fixed it nothing, if I click the link that shows 0 it will download from Chrome however so that is working. Weird ?
-
-
-
Packet capture shows tcp 0 and never connects however for the direct download from Windows update.
-
