Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Blocking IP addresses in my trusted alias list

    Scheduled Pinned Locked Moved pfSense Packages
    2 Posts 2 Posters 890 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JohnKap
      last edited by

      Hi all.

      I have an alias set up "Trusted_IPs", with a list of IP addresses I want snort to ignore - 3 in total.

      Under the Pass Lists tab, I have created a single pass list and included the "Trusted_IPs" alias. (see attached).

      Snort will block an IP address in the trusted alias list, error messages are:

      (http_inspect) UNKNOWN METHOD - 11/07/14-09:24:08
      (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 11/07/14-09:54:34
      
      

      I have restarted both snort & pfsense to ensure cache's are cleared and tables are updated, yet snort will continue to block.

      Any ideas what I've overlooked.

      thanks

      ![Snort Pass List.jpg](/public/imported_attachments/1/Snort Pass List.jpg)
      ![Snort Pass List.jpg_thumb](/public/imported_attachments/1/Snort Pass List.jpg_thumb)

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @JohnKap:

        Hi all.

        I have an alias set up "Trusted_IPs", with a list of IP addresses I want snort to ignore - 3 in total.

        Under the Pass Lists tab, I have created a single pass list and included the "Trusted_IPs" alias. (see attached).

        Snort will block an IP address in the trusted alias list, error messages are:

        (http_inspect) UNKNOWN METHOD - 11/07/14-09:24:08
        (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE - 11/07/14-09:54:34
        
        

        I have restarted both snort & pfsense to ensure cache's are cleared and tables are updated, yet snort will continue to block.

        Any ideas what I've overlooked.

        thanks

        The best course of action here is to disable those rules entirely.  Click the X beside the GID:SID on the ALERTS tab. That will permanently disable them.  They are well known false positives.

        The reason you still see blocks may be because of the setting for WHICH IP TO BLOCK on the SETTINGS tab for the interface.  If set to BOTH (the new default), then your PASS LIST IP should not be blocked, but the other end of the conversation will be blocked and thus communcations will still be stopped.

        Bill

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.