Question about snort - help

firefox

snort running in my computer
But there are sites that it blocks access to them

Is there a place to enroll site
That snort does not block

I tried to insert the name of website in the tab of white list

But without success
Then I realized that you first add the site name
in the tab "aliases"
I wrote down the name of the site name and its IP
But it is still blocked

I guess I'm doing something wrong
I just do not know what

How do I prevent from snort to block me certain sites

In short I got into trouble with it

A Former User

Snort blocks sites based on some logic. If you did not follow the proper set up instructions, of course it will block every site it comes across (simple html request). Please see:

http://forum.pfsense.org/index.php/topic,61018.0.html
http://forum.pfsense.org/index.php/topic,64674.0.html
http://forum.pfsense.org/index.php/topic,56267.0.html

and read ALL posts in those topics before proceeding with setting up snort.

firefox

It's a day's work
If there is a problem
Is there a way to return to the previous state without having to go one by one

I understood the intent
Instead snort check the browsing and will cancel the block {suppress List}

He does not check at all

But for 10 or 20 sites
Is it worth all the work

I now want to try the suppress List
I do not have a lot of sites have a problem with them
Barely six

How do I know which law follow what site

I get the list of blocked
I see only ip
I do not see the name of the site

bmeeks

@firefox:

It's a day's work
If there is a problem
Is there a way to return to the previous state without having to go one by one

I understood the intent
Instead snort check the browsing and will cancel the block {suppress List}

He does not check at all

But for 10 or 20 sites
Is it worth all the work

I now want to try the suppress List
I do not have a lot of sites have a problem with them
Barely six

How do I know which law follow what site

I get the list of blocked
I see only ip
I do not see the name of the site

More than likely it is the HTTP_INSPECT preprocessor that is causing you issues.  It can be overly aggressive.  I saw some traffic on the Snort-Developer mailing list over the weekend discussing some bugs in the behavior of this preprocessor.  The Snort developers said some improvements were in the works for a later Snort binary release.

In the meantime, look in the ALERTS tab of Snort and you will probably see some alerts from the HTTP_INSPECT preprocessor.  These will have the words (http_inspect) under the Description column.  In the SID column will be a number pair such as 120:8.  This is the code for Generator ID and Signature ID.  In this example, the alert is coming from Generator ID 120 (which is the HTTP_INSPECT preprocessor) and the specific alert is from Signature ID 8.  Underneath the number pair will be a plus icon (+).  Clicking that icon will automatically add that SID to the Suppress List for the interface.  Once on the Suppress List, that alert will not cause any further blocks.

As for IP addresses, a lookup icon is coming in the next Snort package version, but for most high-traffic web sites this is not generally too useful because they have a number of individual IP addresses behind a load-balancer system.  For example, do a nslookup on "yahoo.com" and you will see a number of IP addresses returned.  So for any given session, your browser could connect to any one of those IP addresses.

Bill

firefox

As for IP addresses, a lookup icon is coming in the next Snort package version, but for most high-traffic web sites this is not generally too useful because they have a number of individual IP addresses behind a load-balancer system.  For example, do a nslookup on "yahoo.com" and you will see a number of IP addresses returned.  So for any given session, your browser could connect to any one of those IP addresses.

Bill

I guess that's what I will be able to use the tab of aliases
Or I did not understand well

bmeeks

@firefox:

I guess that's what I will be able to use the tab of aliases
Or I did not understand well

Aliases in the Whitelist are still a bit in the future (if ever).  There are lots of issues to iron out in order to pull that off.  I was simply talking about the ability on the ALERTS or BLOCKED tabs of being able to click an icon and perform a reverse DNS lookup on the displayed IP address.  This is more of a convenience some other users asked for.

Bill

firefox

I know what you mean
I just thought I'd do it in a warped {Around it}
Because the correct path a bit complicated
Or rather a lot of time working

in thr alerts tab
There is a list of sites that snort alerts from them

Near the each alert there are a plus sign + adds the alert to suppression
The problem I do not know what is real and what alerts are false

How do I know?
Otherwise it was simple
Add all there to suppression list

How can you add more files with high weight in a single message

firefox

Another image

firefox

Another image