SNORT - 2.9.1 pkg v. 2.0 - (http_inspect) - SID - 120:3:1
-
Hey Guys,
Has anyone been seeing this error on pfsense 2.0 RELEASE AMD64 with SNORT 2.9.1 pkg v. 2.0:
(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSEFWIW, this error happened after I upgraded the SNORT package.
If you browse to (almost) any website, this SID pops up and blocks the site. I've tried suppressing this under the 'Suppress' tab. I've tried disabling HTTP inspect, changing it from a 0 to a -1, nothing seems to work.Here's a sample log:
snort[8714]: [120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [Classification: Unknown Traffic] [Priority: 3] {TCP} ...:80 -> ...:17105I've tried a bunch of different things in order to get this error to go away and no luck.
Any idea on how to fix this?
Thanks!
-th3r3isnospoon
-
-
http://forum.pfsense.org/index.php/topic,41533.msg220890.html#msg220890
Thanks for the link.
I actually saw that thread and read through it. I was just able to get the -1 to work. However, I would like this to be at 0. I had it at 0 on the last version of the SNORT package and I never had this error before. Just curious why this happened after the upgrade. Was this not fully working before?
Thanks,
-th3r3isnospoon
-
its not an error but an alert
-
Did you try this? suppress gen_id 120, sig_id 3
Make sure you add your suppression list to the snort interface settings. Change it from default to the list that has that rule. Works fine for me, I have http_inspect set to 300
-
its not an error but an alert
Yes, that is true. However, about 80% of websites generate this alert.
Did you try this? suppress gen_id 120, sig_id 3
Make sure you add your suppression list to the snort interface settings. Change it from default to the list that has that rule. Works fine for me, I have http_inspect set to 300
Hrmm… I just disabled HTTP inspect. I then restarted the SNORT service and all is well. I will try this and report back.
At this point I am just wondering why exactly this is being triggered on almost every website I visit.
Thanks,
-th3r3isnospoon
-
its not an error but an alert
Yes, that is true. However, about 80% of websites generate this alert.
Did you try this? suppress gen_id 120, sig_id 3
Make sure you add your suppression list to the snort interface settings. Change it from default to the list that has that rule. Works fine for me, I have http_inspect set to 300
I have the same problem and it is a big problem with web surfing blocks everything
Hrmm… I just disabled HTTP inspect. I then restarted the SNORT service and all is well. I will try this and report back.
At this point I am just wondering why exactly this is being triggered on almost every website I visit.
Thanks,
-th3r3isnospoon
-
I've created a video:
http://www.youtube.com/watch?v=uQ7OrxtiAes -
I've created a video:
http://www.youtube.com/watch?v=uQ7OrxtiAesNice job. Its kind of difficult to put into words that the interface must have the suppression list added to it and that simply creating the suppression list is not enough.
-
Thanks – Can we get a SOLVED tag put in the Subject?
-
-
I've created a video:
http://www.youtube.com/watch?v=uQ7OrxtiAesThank You so Far so good !!!!! ^_^
-
I've created a video:
http://www.youtube.com/watch?v=uQ7OrxtiAesWell done - little good documentation exists for pfSense. Your video explains one small but vital aspect of pfsense/snort.
Yak
