Users get blocked by Snort package
-
Hello all,
I am currently using Snort 2.8.6 pkg v. 1.31 on pFSENSE Beta4 as IPS mode
Users users get blocked with following (http_inspect) DOUBLE DECODING ATTACK sid 119:2:1 which i identified as false negativeI tried to add at suppress section the following lines but no change users still get blocked with same sid 119:2:1
Please advice how to get rid of this event blockingThanks
-
Your suppression should look like this;
suppress gen_id 119, sig_id 1
suppress gen_id 119, sig_id 2
suppress gen_id 119, sig_id 4
suppress gen_id 119, sig_id 13