Snort blocks many websites badly



  • Hi,

    I'm setting up a fresh pfSense box for proxying http traffic at my office. I installed Squid3-dev and snort (updated VRT community rules and ETOpen rules). I disabled "block offenders" in snort but as time goes by, it's still blocking many normal websites like: AWS, reddit, and many more photos sharing hosts. Description for those blocked hosts are "UNKNOWN METHOD" or "DOUBLE DECODING ATTACK" or "NO CONTENT-LENGTH" OR "TRANSFER-ENCODING IN HTTP RESPONSE".

    It would be great if somebody tell me what's wrong here and what I'd do to improvise. Thanks.

    Edit: snort are enabled on WAN interface, and it's also blocking download packages from psfense.org for same reason.



  • @A999:

    Hi,

    I'm setting up a fresh pfSense box for proxying http traffic at my office. I installed Squid3-dev and snort (updated VRT community rules and ETOpen rules). I disabled "block offenders" in snort but as time goes by, it's still blocking many normal websites like: AWS, reddit, and many more photos sharing hosts. Description for those blocked hosts are "UNKNOWN METHOD" or "DOUBLE DECODING ATTACK" or "NO CONTENT-LENGTH" OR "TRANSFER-ENCODING IN HTTP RESPONSE".

    It would be great if somebody tell me what's wrong here and what I'd do to improvise. Thanks.

    Edit: snort are enabled on WAN interface, and it's also blocking download packages from psfense.org for same reason.

    Did you remember to stop/start the Snort process after you changed the blocking option from "on" to "off"?  If you uncheck "block offenders" and restart Snort, it won't block anything.  It will print alerts, but it won't block.

    The alerts you listed are considered to be common, known false positives from the HTTP_INSPECT preprocessor.  There is a long thread containing suggestions from experienced Snort users for suppressing false positives.  Here is a link:  https://forum.pfsense.org/index.php/topic,56267.msg300473.html#msg300473

    Bill