Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Best way to whitelist Imdb's website from Snort?

    pfSense Packages
    2
    2
    1640
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pftdm007 last edited by

      Hi,

      I am having a hard time preventing www.imbd.com from being blocked by Snort.

      In Snort's blocked list I see:

      
72.21.203.211 	 (http_inspect) INVALID STATUS CODE IN HTTP RESPONSE - 04/06-00:54:05
72.21.215.52 	 (http_inspect) INVALID STATUS CODE IN HTTP RESPONSE - 04/05-02:31:37

      I wonder if these errors are serious?  I believe not, and I'd like to prevent Snort from blocking www.imdb.com based on these alerts.  I dont want to add this type of alert  ((http_inspect) INVALID STATUS CODE IN HTTP RESPONSE) to a general whitelist because a malicious website could use it in the future..

      SO how can I add an exception for imdb.com ??? The whitelist tab allows only the IP address.  Is it good enough?

      Thanks

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by

        @lpallard:

        Hi,

        I am having a hard time preventing www.imbd.com from being blocked by Snort.

        In Snort's blocked list I see:

        
72.21.203.211 	 (http_inspect) INVALID STATUS CODE IN HTTP RESPONSE - 04/06-00:54:05
72.21.215.52 	 (http_inspect) INVALID STATUS CODE IN HTTP RESPONSE - 04/05-02:31:37

        I wonder if these errors are serious?  I believe not, and I'd like to prevent Snort from blocking www.imdb.com based on these alerts.  I dont want to add this type of alert  ((http_inspect) INVALID STATUS CODE IN HTTP RESPONSE) to a general whitelist because a malicious website could use it in the future..

        SO how can I add an exception for imdb.com ??? The whitelist tab allows only the IP address.  Is it good enough?

        Thanks

        This is going to be tricky because I suspect a site like that probably has multiple IP addresses (like a server farm).  If they all resolve to a single IP, then you can create an Alias for the web site and then add that alias to a whitelist.  Do this under Firewall…Aliases.  Then go to the Whitelist tab in Snort and either add that alias to an existing whitelist, or create a new white list containing the alias.  If this is your first whitelist, be sure to leave the defaults in place where it automatically whitelists your WAN IP, gateways and DNS servers.

        My personal observations of HTTP_INSPECT is that it is entirely too "picky".  I know it is based on the RFC standards and such, but it just seems to complain about too many legitimate web sites.  I have a pretty long list of Suppression Rules for some of these HTTP_INSPECT errors.

        Bill

        1 Reply Last reply Reply Quote 0
        • First post
          Last post