Snort suppress list not working ?

godtor

Hello,

i have problems with some ruls that are fals-pozitive like:
(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
(http_inspect) BARE BYTE UNICODE ENCODING
(http_inspect) UNKNOWN METHOD

Added suppress gen_id 119, sig_id 4 for BARE BYTE UNICODE ENCODING but with no effect (restarted snort afther adding the suppress rule)

Tried to disable the rule from Wan rules > preprocessor.rules, in the snort Alert the disabled rules will appear with a yellow X but snort will block this alert even if is disabled.

Is there a way to disable all the snort rules ? I only want to use my custom rules.. tnx.

BBcan177

The following threads have some more info to help you :

https://forum.pfsense.org/index.php?topic=87374.msg479725#msg479725

godtor

Already did that, from there i have the suppress list.. problem is that suppress list not working..

godtor

Solved, i was missing the "Choose a suppression or filtering file if desired" option.. my bad sry :)

bmeeks

@godtor:

Solved, i was missing the "Choose a suppression or filtering file if desired" option.. my bad sry :)

And after choosing that file and saving the change, remember to restart Snort on that interface.

Bill