[Snort] Manually block an IP and HTTP server flow depth



  • I actually have two questions. Number one: Is it possible to manually block an IP with Snort, without adding a new firewall rule?

    Second: My Snort logs fill up with these alerts: (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

    I don't see these as malicious. The problem is that if I have auto-block enabled, it blocks everything, even legitimate sites like Google. I was looking through the settings and found this option: HTTP server flow depth

    It reads: Amount of HTTP server response payload to inspect. Snort's performance may increase by adjusting this value.
    Setting this value too low may cause false negatives. Values above 0 are specified in bytes. Default value is 0

    I'm assuming I can probably just adjust this value to a higher number, but am curious as to what I should set it to to filter out all those alerts, without lessening Snorts effectiveness. I'm assuming something between 2 and 10 but I'm really not sure.

    One last thing, how can I see the actual packet that raised the alert without enabling the capture all traffic to pcap files? If it showed it in the log next to the alert entry, or as a link to the packet from the alert in the log, that would be amazing.

    Thanks guys, love the product,

    Tony



  • Well I actually fixed two of problems: Suppressing those Snort alerts via this link: http://forum.pfsense.org/index.php/topic,41533.msg220893.html#msg220893

    and adding the ability to view offending packets in the Snort logs using this mod: http://redmine.pfsense.org/issues/2008

    So, the only question left is: Is it possible to manually block an IP with Snort, without adding a new firewall rule?


Log in to reply