Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Disabling (http_inspect) snort alerts

    Scheduled Pinned Locked Moved pfSense Packages
    2 Posts 2 Posters 23.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      G.D. Wusser Esq.
      last edited by

      Hello,

      Disabling (http_inspect) snort alerts, as per the third option in this post (unchecking the “Use HTTP Inspect to Normalize/Decode and detect HTTP traffic and protocol anomalies” option on the Preprocs tab): https://forum.pfsense.org/index.php?topic=62605.msg338107#msg338107

      Creates the issue described, in the following post.
      https://forum.pfsense.org/index.php?topic=31597.0

      (Error message “FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_28491_igb3/rules/snort.rules(427) Please enable the HTTP Inspect preprocessor before using the http content modifiers”)

      Is there some other configuration option I am missing to make disabling HTTP_INSPECT alerts work?

      Thank you

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        @G.D.:

        Is there some other configuration option I am missing to make disabling HTTP_INSPECT alerts work?

        From the following link, there are some recommendations to add some suppress actions to certain Sids leaving the HTTP_Pre-processer enabled.

        https://forum.pfsense.org/index.php?topic=64674.90

        You should review them before applying. But generally they are ok to suppress.

        Here are the suppressions that I am using:

        #(http_inspect) SIMPLE REQUEST
        suppress gen_id 119, sig_id 32
        #(http_inspect) UNKNOWN METHOD
        suppress gen_id 119, sig_id 31
        #(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
        suppress gen_id 120, sig_id 8
        #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
        suppress gen_id 120, sig_id 3
        #(http_inspect) DOUBLE DECODING ATTACK
        suppress gen_id 119, sig_id 2
        #(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
        suppress gen_id 120, sig_id 6
        #(http_inspect) IIS UNICODE CODEPOINT ENCODING
        suppress gen_id 119, sig_id 7
        #(http_inspect) BARE BYTE UNICODE ENCODING
        suppress gen_id 119, sig_id 4
        #(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
        suppress gen_id 120, sig_id 9
        #(http_inspect) JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED
        suppress gen_id 120, sig_id 10
        #(http_inspect) UNESCAPED SPACE IN HTTP URI
        suppress gen_id 119, sig_id 33
        #(http_inspect) U ENCODING
        suppress gen_id 119, sig_id 3

        Or find the rule  #427  /usr/pbi/snort-amd64/etc/snort/snort_28491_igb3/rules/snort.rules(427)  and disable this rule as it depends on the HTTP_Preprocessor. There may be others.

        The link below has details on how to do that.
        https://forum.pfsense.org/index.php?topic=74930.msg410285#msg410285

        When the HTTP_Pre-Processor is disabled, I don't think that Snort can Automatically Disable rules that are "Enabled" and require the HTTP_Processor to be Enabled.

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.