Snort mailing list archives
Re: Snort 2.1.0 - Shutting up http_inspect on non web servers
From: Owen McCusker <mccusker () sonalysts com>
Date: Wed, 14 Jan 2004 14:47:59 -0500
I am may not fully understand what you mean by "shut up", but if you want to ensure that alerts are suppressed you may try suppressing the error with the threshold.conf file in the /etc/snort/ dir. from threshold.conf --clip suppress gen_id 111 sig_id 14 --clip I am running 2.1.0 and this facility has been working for me for a few different types of alerts defined by gen_id and sig_id associated with various types of alerts from rules, and preprocessors. You can grap the gen_id and sig_id by "tail -f"ing your syslog and look for alerts that may be more like "noise" on your network. Regards, Owen
On Wed, 14 Jan 2004 09:14:44 -0600 "Schmehl, Paul L" <pauls () utdallas edu> wrote:> -----Original Message----- > From: snort-users-admin () lists sourceforge net > [mailto:snort-users-admin () lists sourceforge net]On Behalf Of> James Nonya > Sent: Wednesday, January 14, 2004 8:16 AM > To: snort-users () lists sourceforge net > Subject: Re: [Snort-users] Snort 2.1.0 - Shuttingup> http_inspect on non web servers > > Hehe...here's from a previous post: > > preprocessor http_inspect_server: server default \ > ports { 80 8080 } \ > flow_depth 300 \ > ascii no \ > utf_8 no \ > bare_byte no \ > base36 no \ > iis_unicode no \ > double_decode no \ > non_rfc_char { 0x00 } \ > multi_slash no \ > iis_backslash no \ > directory no \ > apache_whitespace no \ > iis_delimiter no \ > chunk_length 64000 \ > non_strict > This should have been sufficient, with oneexception. It does not "shutup" non_rfc_chars. Anyone know how to do that? preprocessor http_inspect_server: server default \ ports { 80 8080 } \ flow_depth 300 \ no_alerts Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/Paul, Have you tried setting it to monitor port 0 or something like that? Maybe telling http_instpect to monitor a little used port would work..think I'll try that now. James __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.1.0 - Shutting up http_inspect on non web servers James Nonya (Jan 13)
- <Possible follow-ups>
- Re: Snort 2.1.0 - Shutting up http_inspect on non web servers James Nonya (Jan 14)
- RE: Snort 2.1.0 - Shutting up http_inspect on non web servers Schmehl, Paul L (Jan 14)
- Re: Snort 2.1.0 - Shutting up http_inspect on non web servers James Nonya (Jan 14)
- Re: Snort 2.1.0 - Shutting up http_inspect on non web servers Owen McCusker (Jan 14)
- RE: Snort 2.1.0 - Shutting up http_inspect on non web servers Schmehl, Paul L (Jan 14)
- Re: Snort 2.1.0 - Shutting up http_inspect on non web servers James Nonya (Jan 14)