Disabling (http_inspect) snort alerts



  • Hello,

    Disabling (http_inspect) snort alerts, as per the third option in this post (unchecking the “Use HTTP Inspect to Normalize/Decode and detect HTTP traffic and protocol anomalies” option on the Preprocs tab): https://forum.pfsense.org/index.php?topic=62605.msg338107#msg338107

    Creates the issue described, in the following post.
    https://forum.pfsense.org/index.php?topic=31597.0

    (Error message “FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_28491_igb3/rules/snort.rules(427) Please enable the HTTP Inspect preprocessor before using the http content modifiers”)

    Is there some other configuration option I am missing to make disabling HTTP_INSPECT alerts work?

    Thank you


  • Moderator

    @G.D.:

    Is there some other configuration option I am missing to make disabling HTTP_INSPECT alerts work?

    From the following link, there are some recommendations to add some suppress actions to certain Sids leaving the HTTP_Pre-processer enabled.

    https://forum.pfsense.org/index.php?topic=64674.90

    You should review them before applying. But generally they are ok to suppress.

    Here are the suppressions that I am using:

    #(http_inspect) SIMPLE REQUEST
    suppress gen_id 119, sig_id 32
    #(http_inspect) UNKNOWN METHOD
    suppress gen_id 119, sig_id 31
    #(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
    suppress gen_id 120, sig_id 8
    #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
    suppress gen_id 120, sig_id 3
    #(http_inspect) DOUBLE DECODING ATTACK
    suppress gen_id 119, sig_id 2
    #(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
    suppress gen_id 120, sig_id 6
    #(http_inspect) IIS UNICODE CODEPOINT ENCODING
    suppress gen_id 119, sig_id 7
    #(http_inspect) BARE BYTE UNICODE ENCODING
    suppress gen_id 119, sig_id 4
    #(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
    suppress gen_id 120, sig_id 9
    #(http_inspect) JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED
    suppress gen_id 120, sig_id 10
    #(http_inspect) UNESCAPED SPACE IN HTTP URI
    suppress gen_id 119, sig_id 33
    #(http_inspect) U ENCODING
    suppress gen_id 119, sig_id 3

    Or find the rule  #427  /usr/pbi/snort-amd64/etc/snort/snort_28491_igb3/rules/snort.rules(427)  and disable this rule as it depends on the HTTP_Preprocessor. There may be others.

    The link below has details on how to do that.
    https://forum.pfsense.org/index.php?topic=74930.msg410285#msg410285

    When the HTTP_Pre-Processor is disabled, I don't think that Snort can Automatically Disable rules that are "Enabled" and require the HTTP_Processor to be Enabled.


Log in to reply