Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Snort] Manually block an IP and HTTP server flow depth

    Scheduled Pinned Locked Moved pfSense Packages
    2 Posts 1 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tonysathre
      last edited by

      I actually have two questions. Number one: Is it possible to manually block an IP with Snort, without adding a new firewall rule?

      Second: My Snort logs fill up with these alerts: (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

      I don't see these as malicious. The problem is that if I have auto-block enabled, it blocks everything, even legitimate sites like Google. I was looking through the settings and found this option: HTTP server flow depth

      It reads: Amount of HTTP server response payload to inspect. Snort's performance may increase by adjusting this value.
      Setting this value too low may cause false negatives. Values above 0 are specified in bytes. Default value is 0

      I'm assuming I can probably just adjust this value to a higher number, but am curious as to what I should set it to to filter out all those alerts, without lessening Snorts effectiveness. I'm assuming something between 2 and 10 but I'm really not sure.

      One last thing, how can I see the actual packet that raised the alert without enabling the capture all traffic to pcap files? If it showed it in the log next to the alert entry, or as a link to the packet from the alert in the log, that would be amazing.

      Thanks guys, love the product,

      Tony

      1 Reply Last reply Reply Quote 0
      • T
        tonysathre
        last edited by

        Well I actually fixed two of problems: Suppressing those Snort alerts via this link: http://forum.pfsense.org/index.php/topic,41533.msg220893.html#msg220893

        and adding the ability to view offending packets in the Snort logs using this mod: http://redmine.pfsense.org/issues/2008

        So, the only question left is: Is it possible to manually block an IP with Snort, without adding a new firewall rule?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.