Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort alerts (http_inspect) and blocked clients

    Scheduled Pinned Locked Moved pfSense Packages
    1 Posts 1 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pftdm007
      last edited by

      Hello,

      I am in the last miles of configuring my pfsense box and I need to find out what these alerts are, so I can safely deactivate the rules or keep them…

      (http_inspect) DOUBLE DECODING ATTACK
      

      I am getting this on a random basis from pretty much any clients I use to surf the web, from my htpc in my living room to my laptop to my iphone…  Every time snort pick up one of these alerts, it blocks the web access from the machine who generated the alarm.  Thats the way I configured it and I am happy with this behavior but I've never expected to get so many alarms of this kind...  I get one of these almost every time I go on the web.  Whenever a client is blocked, I need to login to the pfsense box and delete the blocked client from the "blocked" list.

      I couldnt find a clear and simple explanation of this kind of "attack".  All I found is deep technical network forensic and I dont have much time to understand in depth the way computers talk to each others (not for now at least).  Are they dangerous?  I've read that these attacks are normally intended for Microsoft IIS servers.... I am running linux on ALL machines except my iphone (just a matter of time ;).

      I'd appreciate if somebody knowledgeable in network attacks tell me in a nutshell what they are and what are the pros/cons of blocking or unblocking them...

      Right now, either I completely deactivate the ruleset generating these alerts (exposing myself to extra attacks?) or I live with it and its hellish...  Even linuxquestions.org generates such alarms!
      Thanks!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.