Snort alerts (http_inspect) and blocked clients



  • Hello,

    I am in the last miles of configuring my pfsense box and I need to find out what these alerts are, so I can safely deactivate the rules or keep them…

    (http_inspect) DOUBLE DECODING ATTACK
    

    I am getting this on a random basis from pretty much any clients I use to surf the web, from my htpc in my living room to my laptop to my iphone…  Every time snort pick up one of these alerts, it blocks the web access from the machine who generated the alarm.  Thats the way I configured it and I am happy with this behavior but I've never expected to get so many alarms of this kind...  I get one of these almost every time I go on the web.  Whenever a client is blocked, I need to login to the pfsense box and delete the blocked client from the "blocked" list.

    I couldnt find a clear and simple explanation of this kind of "attack".  All I found is deep technical network forensic and I dont have much time to understand in depth the way computers talk to each others (not for now at least).  Are they dangerous?  I've read that these attacks are normally intended for Microsoft IIS servers.... I am running linux on ALL machines except my iphone (just a matter of time ;).

    I'd appreciate if somebody knowledgeable in network attacks tell me in a nutshell what they are and what are the pros/cons of blocking or unblocking them...

    Right now, either I completely deactivate the ruleset generating these alerts (exposing myself to extra attacks?) or I live with it and its hellish...  Even linuxquestions.org generates such alarms!
    Thanks!


Locked