Best way to whitelist Imdb's website from Snort?



  • Hi,

    I am having a hard time preventing www.imbd.com from being blocked by Snort.

    In Snort's blocked list I see:

    
    72.21.203.211 	 (http_inspect) INVALID STATUS CODE IN HTTP RESPONSE - 04/06-00:54:05
    72.21.215.52 	 (http_inspect) INVALID STATUS CODE IN HTTP RESPONSE - 04/05-02:31:37
    
    

    I wonder if these errors are serious?  I believe not, and I'd like to prevent Snort from blocking www.imdb.com based on these alerts.  I dont want to add this type of alert  ((http_inspect) INVALID STATUS CODE IN HTTP RESPONSE) to a general whitelist because a malicious website could use it in the future..

    SO how can I add an exception for imdb.com ??? The whitelist tab allows only the IP address.  Is it good enough?

    Thanks



  • @lpallard:

    Hi,

    I am having a hard time preventing www.imbd.com from being blocked by Snort.

    In Snort's blocked list I see:

    
    72.21.203.211 	 (http_inspect) INVALID STATUS CODE IN HTTP RESPONSE - 04/06-00:54:05
    72.21.215.52 	 (http_inspect) INVALID STATUS CODE IN HTTP RESPONSE - 04/05-02:31:37
    
    

    I wonder if these errors are serious?  I believe not, and I'd like to prevent Snort from blocking www.imdb.com based on these alerts.  I dont want to add this type of alert  ((http_inspect) INVALID STATUS CODE IN HTTP RESPONSE) to a general whitelist because a malicious website could use it in the future..

    SO how can I add an exception for imdb.com ??? The whitelist tab allows only the IP address.  Is it good enough?

    Thanks

    This is going to be tricky because I suspect a site like that probably has multiple IP addresses (like a server farm).  If they all resolve to a single IP, then you can create an Alias for the web site and then add that alias to a whitelist.  Do this under Firewall…Aliases.  Then go to the Whitelist tab in Snort and either add that alias to an existing whitelist, or create a new white list containing the alias.  If this is your first whitelist, be sure to leave the defaults in place where it automatically whitelists your WAN IP, gateways and DNS servers.

    My personal observations of HTTP_INSPECT is that it is entirely too "picky".  I know it is based on the RFC standards and such, but it just seems to complain about too many legitimate web sites.  I have a pretty long list of Suppression Rules for some of these HTTP_INSPECT errors.

    Bill


Log in to reply