Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort blocks many websites badly

    Scheduled Pinned Locked Moved pfSense Packages
    2 Posts 2 Posters 5.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      A999
      last edited by

      Hi,

      I'm setting up a fresh pfSense box for proxying http traffic at my office. I installed Squid3-dev and snort (updated VRT community rules and ETOpen rules). I disabled "block offenders" in snort but as time goes by, it's still blocking many normal websites like: AWS, reddit, and many more photos sharing hosts. Description for those blocked hosts are "UNKNOWN METHOD" or "DOUBLE DECODING ATTACK" or "NO CONTENT-LENGTH" OR "TRANSFER-ENCODING IN HTTP RESPONSE".

      It would be great if somebody tell me what's wrong here and what I'd do to improvise. Thanks.

      Edit: snort are enabled on WAN interface, and it's also blocking download packages from psfense.org for same reason.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @A999:

        Hi,

        I'm setting up a fresh pfSense box for proxying http traffic at my office. I installed Squid3-dev and snort (updated VRT community rules and ETOpen rules). I disabled "block offenders" in snort but as time goes by, it's still blocking many normal websites like: AWS, reddit, and many more photos sharing hosts. Description for those blocked hosts are "UNKNOWN METHOD" or "DOUBLE DECODING ATTACK" or "NO CONTENT-LENGTH" OR "TRANSFER-ENCODING IN HTTP RESPONSE".

        It would be great if somebody tell me what's wrong here and what I'd do to improvise. Thanks.

        Edit: snort are enabled on WAN interface, and it's also blocking download packages from psfense.org for same reason.

        Did you remember to stop/start the Snort process after you changed the blocking option from "on" to "off"?  If you uncheck "block offenders" and restart Snort, it won't block anything.  It will print alerts, but it won't block.

        The alerts you listed are considered to be common, known false positives from the HTTP_INSPECT preprocessor.  There is a long thread containing suggestions from experienced Snort users for suppressing false positives.  Here is a link:  https://forum.pfsense.org/index.php/topic,56267.msg300473.html#msg300473

        Bill

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.