Snort Blocking IP addresses in my trusted alias list



  • Hi all.

    I have an alias set up "Trusted_IPs", with a list of IP addresses I want snort to ignore - 3 in total.

    Under the Pass Lists tab, I have created a single pass list and included the "Trusted_IPs" alias. (see attached).

    Snort will block an IP address in the trusted alias list, error messages are:

    (http_inspect) UNKNOWN METHOD - 11/07/14-09:24:08
    (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 11/07/14-09:54:34
    
    

    I have restarted both snort & pfsense to ensure cache's are cleared and tables are updated, yet snort will continue to block.

    Any ideas what I've overlooked.

    thanks

    ![Snort Pass List.jpg](/public/imported_attachments/1/Snort Pass List.jpg)
    ![Snort Pass List.jpg_thumb](/public/imported_attachments/1/Snort Pass List.jpg_thumb)



  • @JohnKap:

    Hi all.

    I have an alias set up "Trusted_IPs", with a list of IP addresses I want snort to ignore - 3 in total.

    Under the Pass Lists tab, I have created a single pass list and included the "Trusted_IPs" alias. (see attached).

    Snort will block an IP address in the trusted alias list, error messages are:

    (http_inspect) UNKNOWN METHOD - 11/07/14-09:24:08
    (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 11/07/14-09:54:34
    
    

    I have restarted both snort & pfsense to ensure cache's are cleared and tables are updated, yet snort will continue to block.

    Any ideas what I've overlooked.

    thanks

    The best course of action here is to disable those rules entirely.  Click the X beside the GID:SID on the ALERTS tab. That will permanently disable them.  They are well known false positives.

    The reason you still see blocks may be because of the setting for WHICH IP TO BLOCK on the SETTINGS tab for the interface.  If set to BOTH (the new default), then your PASS LIST IP should not be blocked, but the other end of the conversation will be blocked and thus communcations will still be stopped.

    Bill


Log in to reply