Re: Snort 2.1.0 - Shutting up http_inspect on non web servers

[Owen McCusker <mccusker () sonalysts com>]

I am may not fully understand what you mean by "shut up",
but if you want to ensure that alerts are suppressed
you may try suppressing the error with the threshold.conf file
in the /etc/snort/ dir.

from threshold.conf

--clip
suppress gen_id 111 sig_id 14
--clip

I am running 2.1.0 and this facility has been working for
me for a few different types of alerts defined by gen_id and sig_id
associated with various types of alerts from rules, and preprocessors.

You can grap the gen_id and sig_id by "tail -f"ing your syslog and look
for alerts that may be more like "noise" on your network.

Regards,
Owen

> On Wed, 14 Jan 2004 09:14:44 -0600
> "Schmehl, Paul L" <pauls () utdallas edu> wrote:
>
> >  > -----Original Message-----
> >  > From: snort-users-admin () lists sourceforge net
> >  > [mailto:snort-users-admin () lists sourceforge net]
> On Behalf Of
> >  > James Nonya
> >  > Sent: Wednesday, January 14, 2004 8:16 AM
> >  > To: snort-users () lists sourceforge net
> >  > Subject: Re: [Snort-users] Snort 2.1.0 - Shutting
> up
> >  > http_inspect on non web servers
> >  >
> >  > Hehe...here's from a previous post:
> >  >
> >  > preprocessor http_inspect_server: server default \
> >  >     ports { 80 8080 } \
> >  >     flow_depth 300 \
> >  >     ascii no \
> >  >     utf_8 no \
> >  >     bare_byte no \
> >  >     base36 no \
> >  >     iis_unicode no \
> >  >     double_decode no \
> >  >     non_rfc_char { 0x00 } \
> >  >     multi_slash no \
> >  >     iis_backslash no \
> >  >     directory no \
> >  >     apache_whitespace no \
> >  >     iis_delimiter no \
> >  >     chunk_length 64000 \
> >  >     non_strict
> >  >
> >  This should have been sufficient, with one
> exception.  It does not "shut
> >  up" non_rfc_chars.  Anyone know how to do that?
> >
> >  preprocessor http_inspect_server: server default \
> >       ports { 80 8080 } \
> >       flow_depth 300 \
> >       no_alerts
> >
> >  Paul Schmehl (pauls () utdallas edu)
> >  Adjunct Information Security Officer
> >  The University of Texas at Dallas
> >  AVIEN Founding Member
> >  http://www.utdallas.edu/~pauls/
>
>
> Paul,
>
> Have you tried setting it to monitor port 0 or
> something like that?  Maybe telling http_instpect to
> monitor a little used port would work..think I'll try
> that now.
>
> James
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
> http://hotjobs.sweepstakes.yahoo.com/signingbonus
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Perforce Software.
> Perforce is the Fast Software Configuration Management System offering
> advanced branching capabilities and atomic changes on 50+ platforms.
> Free Eval! http://www.perforce.com/perforce/loadprog.html
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users