[Snort-users] Snort rule for allowing Logitech Squeezebox streaming service/traffic

Al Lewis (allewi) allewi at cisco.com
Mon Jun 11 08:38:39 EDT 2018


Do you have a sample of the traffic?

http_inspect is a preprocessor so the rule is firing because is sees suspected http traffic with some fields missing that should be in standard http communications.

Albert Lewis
Cisco Systems Inc.
Email: allewi at cisco.com 
On 6/11/18, 8:34 AM, "Snort-users on behalf of Dominik Steiner via Snort-users" <snort-users-bounces at lists.snort.org on behalf of snort-users at lists.snort.org> wrote:

    Hi Snort users
    I am quite a beginner with snort and have a tricky question on creating a rule for a radio streaming service.
    I am using Logitech Squeezebox as a music streaming system for my home and found out, that since i activated Snort it always drops my streaming and i cannot listen to online radios anymore. 
    When i found out that snort is blocking my traffic to the squeezebox streaming server, it showed in the alert log that it always classifies the traffic as "Unknown Traffic” and it always logs it against the port 9000 from the streaming server (where the service is running on) and port 80 (not sure why 80).
    Description of blocked traffic is always: (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
    Does anyone have an idea how to fix this and keep snort on while allowing this traffic?
    The service is running on port 9000, how can i create a rule to enable such traffic to flow through?
    Haven’t found any thread in the internet which solves this issue, that’s why i am reaching out to you.
    Thanks for your support
    Snort-users mailing list
    Snort-users at lists.snort.org
    Go to this URL to change user options or unsubscribe:
    Please visit http://blog.snort.org to stay current on all the latest Snort news!
    Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

More information about the Snort-users mailing list