[SOLVED] Snort http Inspect issue after upgrade to 2.1.5



  • Just upgraded my 2.1.4 install to 2.1.5 through console and all went good and box reboot and came up except I have weird issue with Snort.  Most sites I goto now throw the Http Inspect Unknown Method and are blocked.  Not all sites have this issue, espn and cnn have it.  My question is this. Is this a Snort issue or 2.1.5 issue? Is anyone else having this issue?

    I was able to get around the problem by supressing 119:2 and force disabling these rule, but I would like some feedback from others on this.

    Thanks



  • @keithmcp:

    Just upgraded my 2.1.4 install to 2.1.5 through console and all went good and box reboot and came up except I have weird issue with Snort.  Most sites I goto now throw the Http Inspect Unknown Method and are blocked.  Not all sites have this issue, espn and cnn have it.  My question is this. Is this a Snort issue or 2.1.5 issue? Is anyone else having this issue?

    I was able to get around the problem by supressing 119:2 and force disabling these rule, but I would like some feedback from others on this.

    Thanks

    That is one of the many false positives IPS/IDS software can throw.  I'm surprised you were not seeing it before if you were running Snort prior to the upgrade.  There is really nothing in the pfSense upgrade that should impact the alert suddenly appearing.  There are several HTTP_INSPECT alerts that many experienced users routinely suppress (or disable the rule).  In the Packages sub-forum is a thread on suggestions for a sort of "all encompassing" Suppress List for Snort.

    Bill



  • I will check it out.  I did notice that Snort did an update to the rules and it looks like this is what was happening.  Yes it is strange that I never got this before, so it must have been the Snort update causing the issue.  It was just a matter of timing in this case.  The suppress that I did worked, so all is good and everything else with 2.1.5 upgrade is good, so i am happy.


Log in to reply