3. Disabling (http_inspect) snort alerts

Disabling (http_inspect) snort alerts

  • G

    Hello,

    Disabling (http_inspect) snort alerts, as per the third option in this post (unchecking the “Use HTTP Inspect to Normalize/Decode and detect HTTP traffic and protocol anomalies” option on the Preprocs tab): https://forum.pfsense.org/index.php?topic=62605.msg338107#msg338107

    Creates the issue described, in the following post.
    https://forum.pfsense.org/index.php?topic=31597.0

    (Error message “FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_28491_igb3/rules/snort.rules(427) Please enable the HTTP Inspect preprocessor before using the http content modifiers”)

    Is there some other configuration option I am missing to make disabling HTTP_INSPECT alerts work?

    Thank you

    0
  • Moderator

    @G.D.:

    Is there some other configuration option I am missing to make disabling HTTP_INSPECT alerts work?

    From the following link, there are some recommendations to add some suppress actions to certain Sids leaving the HTTP_Pre-processer enabled.

    https://forum.pfsense.org/index.php?topic=64674.90

    You should review them before applying. But generally they are ok to suppress.

    Here are the suppressions that I am using:

    #(http_inspect) SIMPLE REQUEST
    suppress gen_id 119, sig_id 32
    #(http_inspect) UNKNOWN METHOD
    suppress gen_id 119, sig_id 31
    #(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
    suppress gen_id 120, sig_id 8
    #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
    suppress gen_id 120, sig_id 3
    #(http_inspect) DOUBLE DECODING ATTACK
    suppress gen_id 119, sig_id 2
    #(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
    suppress gen_id 120, sig_id 6
    #(http_inspect) IIS UNICODE CODEPOINT ENCODING
    suppress gen_id 119, sig_id 7
    #(http_inspect) BARE BYTE UNICODE ENCODING
    suppress gen_id 119, sig_id 4
    #(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
    suppress gen_id 120, sig_id 9
    #(http_inspect) JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED
    suppress gen_id 120, sig_id 10
    #(http_inspect) UNESCAPED SPACE IN HTTP URI
    suppress gen_id 119, sig_id 33
    #(http_inspect) U ENCODING
    suppress gen_id 119, sig_id 3

    Or find the rule  #427  /usr/pbi/snort-amd64/etc/snort/snort_28491_igb3/rules/snort.rules(427)  and disable this rule as it depends on the HTTP_Preprocessor. There may be others.

    The link below has details on how to do that.
    https://forum.pfsense.org/index.php?topic=74930.msg410285#msg410285

    When the HTTP_Pre-Processor is disabled, I don't think that Snort can Automatically Disable rules that are "Enabled" and require the HTTP_Processor to be Enabled.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy