Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Users get blocked by Snort package

    Scheduled Pinned Locked Moved pfSense Packages
    2 Posts 2 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tbaror
      last edited by

      Hello all,

      I am currently using Snort 2.8.6 pkg v. 1.31 on pFSENSE Beta4 as IPS mode
      Users users get blocked with following   (http_inspect) DOUBLE DECODING ATTACK sid 119:2:1 which i identified as false negative

      I tried to add at suppress section the following lines but no change users still get blocked with same sid 119:2:1
      Please advice how to get rid of this event blocking

      Thanks

      snort-blocked.png
      snort-blocked.png_thumb

      1 Reply Last reply Reply Quote 0
      • C
        chowtamah
        last edited by

        Your suppression should look like this;

        suppress gen_id 119, sig_id 1
        suppress gen_id 119, sig_id 2
        suppress gen_id 119, sig_id 4
        suppress gen_id 119, sig_id 13

        2.0.2-RELEASE (amd64)  &  2.2.2-RELEASE (amd64)

        Always trying to learn!!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.