How do i suppress this rule



  • (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE lastest version of snort i updated today .





  • BUMP

    This rule is not being suppressed even though I believe I have everything correctly written in SNORT > Suppress:
    suppress gen_id 120, sig_id 3

    I've restarted Snort and also restarted the entire PFsense router and SNORT 2.0 is still throwing alerts for this SID.

    What's the issue?



  • I am getting the following SNORT startup message in system.log:

    Nov 12 16:29:45 www snort[1955]: +–---------------------[suppression]–----------------------------------------
    Nov 12 16:29:45 www snort[1955]: +–---------------------[suppression]–----------------------------------------
    Nov 12 16:29:45 www snort[1955]: | none
    Nov 12 16:29:45 www snort[1955]: | none
    Nov 12 16:29:45 www snort[1955]: –-----------------------------------------------------------------------------
    Nov 12 16:29:45 www snort[1955]: –-----------------------------------------------------------------------------

    It seems that my suppression rule isn't being activated somehow…...



  • after you created the list, did you select that list under the interface config page?



  • No I did not, and that seemed to be the problem. Didn't know I had to do that… thanks girlfriend!
    @Cino:

    after you created the list, did you select that list under the interface config page?



  • @Cino:

    after you created the list, did you select that list under the interface config page?

    Where is this page located i can't seem to find it .With problem i can't search the internet at all i keep getting the rule blocked .



  • Uncheck Block offenders until you fix the suppress rule and still have internet access.

    It is under Snort: Interface Edit: (If settings) Suppression and filtering



  • @RonpfS:

    Uncheck Block offenders until you fix the suppress rule and still have internet access.

    It is under Snort: Interface Edit: (If settings) Suppression and filtering

    I just have snort turned off .Tried to suppress rule and nothing works



  • Did you remove your WAN IP from the Blocked list?



  • @RonpfS:

    Did you remove your WAN IP from the Blocked list?

    MY ip was never blocked



  • In the "for what it's worth category" this message, and my need to suppress it (amd64 V2.0), disappeared with an uninstall of SNORT and reinstall with the updated 2.9.1 package.

    Previous to that, everything was being blocked and the event log was being flooded with HTTP_INSPECT events.



  • 2011-11-12 00:05:24	Daemon.Notice	x.x.x.x	snort[33078]: | gen-id=120    sig-id=3          type=Suppress  tracking=none filtered=109
    

    I still get them  :-[




Log in to reply