Snort mailing list archives
http_decode alerts bypassing "pass" rules
From: Pete Philips <pete () s3 integralis co uk>
Date: Wed, 09 May 2001 17:22:50 +0100
I have several "pass" rules in my snort.conf (before the http_decode preprocessor) which ignore all traffic to and form certain machines which are regularly used to test exploits etc. This works fine and no alerts are generated by these hosts except when it is generated by http_decode such as: May 9 15:59:44 spock snort: spp_http_decode: IIS Unicode attack detected: 10.1.1.31:1312 -> 192.168.1.1:80 Is there a way to also silence these alerts for particular hosts? Thanks! Pete. PS. I am running Snort 1.7 on OpenBSD. --------------------------------------------------------------- | Pete Philips \|/ | | Integralis S3 Team O | | E-mail: pete () s3 integralis co uk | | Phone: +44 118 930 6060 | | PGP Key: http://www.s3.integralis.co.uk/pgp/pete.gpg | --------------------------------------------------------------- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- http_decode alerts bypassing "pass" rules Pete Philips (May 09)
- Re: http_decode alerts bypassing "pass" rules Martin Roesch (May 22)
- <Possible follow-ups>
- Re: http_decode alerts bypassing "pass" rules Neil Dickey (May 09)