Prevent snort from blocking particular websites



  • The title says it all.  Whenever snort is enable even the most popular websites like amazon and newegg are blocked by snort, as well as a couple of less common websites that are important to me.  Is there any way to unblock these sites on a website to website basis?



  • @thelongdivider:

    The title says it all.  Whenever snort is enable even the most popular websites like amazon and newegg are blocked by snort, as well as a couple of less common websites that are important to me.  Is there any way to unblock these sites on a website to website basis?

    Welcome to the world of false positives.  It happens with all IDS systems.  You need to examine the alerts, and if you trust the web site and are sure it is a false positive, you have two options: (1) suppress the alert or (2) add the host to a Pass List.  Here are some links to the Documentation Wiki with some details on each method.

    https://doc.pfsense.org/index.php/Snort_suppress_list

    https://doc.pfsense.org/index.php/Snort_passlist

    There is also a long thread here in the Packages forum containing known false positives and the corresponding Suppress List entries for them.  Here is a link to that thread: https://forum.pfsense.org/index.php?topic=64674.0

    Bill


Log in to reply