Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Question about snort - help

    Scheduled Pinned Locked Moved pfSense Packages
    9 Posts 3 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      firefox
      last edited by

      snort running in my computer
      But there are sites that it blocks access to them

      Is there a place to enroll site
      That snort does not block

      I tried to insert the name of website in the tab of white list

      But without success
      Then I realized that you first add the site name
      in the tab "aliases"
      I wrote down the name of the site name and its IP
      But it is still blocked

      I guess I'm doing something wrong
      I just do not know what

      How do I prevent from snort to block me certain sites

      In short I got into trouble with it

      134.png
      134.png_thumb
      133.png
      133.png_thumb

      1 Reply Last reply Reply Quote 0
      • ?
        A Former User
        last edited by

        Snort blocks sites based on some logic. If you did not follow the proper set up instructions, of course it will block every site it comes across (simple html request). Please see:

        http://forum.pfsense.org/index.php/topic,61018.0.html
        http://forum.pfsense.org/index.php/topic,64674.0.html
        http://forum.pfsense.org/index.php/topic,56267.0.html

        and read ALL posts in those topics before proceeding with setting up snort.

        1 Reply Last reply Reply Quote 0
        • F
          firefox
          last edited by

          It's a day's work
          If there is a problem
          Is there a way to return to the previous state without having to go one by one

          I understood the intent
          Instead snort check the browsing and will cancel the block {suppress List}

          He does not check at all

          But for 10 or 20 sites
          Is it worth all the work

          I now want to try the suppress List
          I do not have a lot of sites have a problem with them
          Barely six

          How do I know which law follow what site

          I get the list of blocked
          I see only ip
          I do not see the name of the site

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @firefox:

            It's a day's work
            If there is a problem
            Is there a way to return to the previous state without having to go one by one

            I understood the intent
            Instead snort check the browsing and will cancel the block {suppress List}

            He does not check at all

            But for 10 or 20 sites
            Is it worth all the work

            I now want to try the suppress List
            I do not have a lot of sites have a problem with them
            Barely six

            How do I know which law follow what site

            I get the list of blocked
            I see only ip
            I do not see the name of the site

            More than likely it is the HTTP_INSPECT preprocessor that is causing you issues.  It can be overly aggressive.  I saw some traffic on the Snort-Developer mailing list over the weekend discussing some bugs in the behavior of this preprocessor.  The Snort developers said some improvements were in the works for a later Snort binary release.

            In the meantime, look in the ALERTS tab of Snort and you will probably see some alerts from the HTTP_INSPECT preprocessor.  These will have the words (http_inspect) under the Description column.  In the SID column will be a number pair such as 120:8.  This is the code for Generator ID and Signature ID.  In this example, the alert is coming from Generator ID 120 (which is the HTTP_INSPECT preprocessor) and the specific alert is from Signature ID 8.  Underneath the number pair will be a plus icon (+).  Clicking that icon will automatically add that SID to the Suppress List for the interface.  Once on the Suppress List, that alert will not cause any further blocks.

            As for IP addresses, a lookup icon is coming in the next Snort package version, but for most high-traffic web sites this is not generally too useful because they have a number of individual IP addresses behind a load-balancer system.  For example, do a nslookup on "yahoo.com" and you will see a number of IP addresses returned.  So for any given session, your browser could connect to any one of those IP addresses.

            Bill

            1 Reply Last reply Reply Quote 0
            • F
              firefox
              last edited by

              As for IP addresses, a lookup icon is coming in the next Snort package version, but for most high-traffic web sites this is not generally too useful because they have a number of individual IP addresses behind a load-balancer system.  For example, do a nslookup on "yahoo.com" and you will see a number of IP addresses returned.  So for any given session, your browser could connect to any one of those IP addresses.

              Bill

              I guess that's what I will be able to use the tab of aliases
              Or I did not understand well

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @firefox:

                I guess that's what I will be able to use the tab of aliases
                Or I did not understand well

                Aliases in the Whitelist are still a bit in the future (if ever).  There are lots of issues to iron out in order to pull that off.  I was simply talking about the ability on the ALERTS or BLOCKED tabs of being able to click an icon and perform a reverse DNS lookup on the displayed IP address.  This is more of a convenience some other users asked for.

                Bill

                1 Reply Last reply Reply Quote 0
                • F
                  firefox
                  last edited by

                  I know what you mean
                  I just thought I'd do it in a warped {Around it}
                  Because the correct path a bit complicated
                  Or rather a lot of time working

                  in thr alerts tab
                  There is a list of sites that snort alerts from them

                  Near the each alert there are a plus sign + adds the alert to suppression
                  The problem I do not know what is real and what alerts are false

                  How do I know?
                  Otherwise it was simple
                  Add all there to suppression list

                  How can you add more files with high weight in a single message

                  555.png
                  555.png_thumb

                  1 Reply Last reply Reply Quote 0
                  • F
                    firefox
                    last edited by

                    Another image

                    666.png
                    666.png_thumb

                    1 Reply Last reply Reply Quote 0
                    • F
                      firefox
                      last edited by

                      Another image

                      777.png
                      777.png_thumb

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.