1. Home
  2. pfSense Packages
  3. Best way to whitelist Imdb's website from Snort?

Best way to whitelist Imdb's website from Snort?

  • P

    Hi,

    I am having a hard time preventing www.imbd.com from being blocked by Snort.

    In Snort's blocked list I see:

    
72.21.203.211 	 (http_inspect) INVALID STATUS CODE IN HTTP RESPONSE - 04/06-00:54:05
72.21.215.52 	 (http_inspect) INVALID STATUS CODE IN HTTP RESPONSE - 04/05-02:31:37

    I wonder if these errors are serious?  I believe not, and I'd like to prevent Snort from blocking www.imdb.com based on these alerts.  I dont want to add this type of alert  ((http_inspect) INVALID STATUS CODE IN HTTP RESPONSE) to a general whitelist because a malicious website could use it in the future..

    SO how can I add an exception for imdb.com ??? The whitelist tab allows only the IP address.  Is it good enough?

    Thanks

    0
  • bmeeks

    @lpallard:

    Hi,

    I am having a hard time preventing www.imbd.com from being blocked by Snort.

    In Snort's blocked list I see:

    
72.21.203.211 	 (http_inspect) INVALID STATUS CODE IN HTTP RESPONSE - 04/06-00:54:05
72.21.215.52 	 (http_inspect) INVALID STATUS CODE IN HTTP RESPONSE - 04/05-02:31:37

    I wonder if these errors are serious?  I believe not, and I'd like to prevent Snort from blocking www.imdb.com based on these alerts.  I dont want to add this type of alert  ((http_inspect) INVALID STATUS CODE IN HTTP RESPONSE) to a general whitelist because a malicious website could use it in the future..

    SO how can I add an exception for imdb.com ??? The whitelist tab allows only the IP address.  Is it good enough?

    Thanks

    This is going to be tricky because I suspect a site like that probably has multiple IP addresses (like a server farm).  If they all resolve to a single IP, then you can create an Alias for the web site and then add that alias to a whitelist.  Do this under Firewall…Aliases.  Then go to the Whitelist tab in Snort and either add that alias to an existing whitelist, or create a new white list containing the alias.  If this is your first whitelist, be sure to leave the defaults in place where it automatically whitelists your WAN IP, gateways and DNS servers.

    My personal observations of HTTP_INSPECT is that it is entirely too "picky".  I know it is based on the RFC standards and such, but it just seems to complain about too many legitimate web sites.  I have a pretty long list of Suppression Rules for some of these HTTP_INSPECT errors.

    Bill

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy