Users get blocked by Snort package



  • Hello all,

    I am currently using Snort 2.8.6 pkg v. 1.31 on pFSENSE Beta4 as IPS mode
    Users users get blocked with following   (http_inspect) DOUBLE DECODING ATTACK sid 119:2:1 which i identified as false negative

    I tried to add at suppress section the following lines but no change users still get blocked with same sid 119:2:1
    Please advice how to get rid of this event blocking

    Thanks




  • Your suppression should look like this;

    suppress gen_id 119, sig_id 1
    suppress gen_id 119, sig_id 2
    suppress gen_id 119, sig_id 4
    suppress gen_id 119, sig_id 13


Log in to reply