Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Disable alerts from certain machines - Not working for me?

From: Snortty <cwcwcwg () yahoo com>
Date: Fri, 11 Jun 2004 08:53:02 -0700 (PDT)
Andreas and All, 

Andreas documents below helps me a lot along the way.
But here I have a specific issue after I upgraded
snort to 2.1.2. It started to show more and more
http_inspect alerts everyday. So, I chose to use
suppress to try deal with it. I did in the
threshold.conf (where my snort.conf resides) as:

# suppress gen_id 1, sig_id 1852
suppress gen_id 119, sig_id 12
suppress gen_id 119, sig_id 13
suppress gen_id 119, sig_id 15
suppress gen_id 119, sig_id 16


as in the alert files, it shows hundreds alerts as
below:
[**] [119:12:1] (http_inspect) APACHE WHITESPACE (TAB)
[**]
[**] [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER
[**]
[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI
DIRECTORY [**]
[**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING
[**]

I restarted snort, and let it run for a day, it still
shows a lot of same alerts. Anything I didn't do right
here please?

Please anyone who has some clues here. 

Thanks again!
Snty. 





 


--- Andreas_Östling <andreaso () it su se> wrote:


On Thu, 25 Mar 2004, Snortty wrote:


Jerry and All, 

I want to do exactly the below, to disable ANY and

ALL

alerts from certian IPs (dedicated scanners), and

I

used the tips below by either:

pass ip 10.1.1.1 any -> any any

...

Disabling all alerts from a host and using pass
rules to pass all 
traffic from that host is not the same thing. Pass
rules has no effect on 
alerts generated by preprocessors for example,
although you don't mention 
if that's the case here.

Btw, I tried to write a little document describing
these things, 


http://people.su.se/~andreaso/docs/README.avoiding_alerts

It's still kind of a beta so I'd appreciate any
comments/suggestions 
from anyone.

/Andreas





        
                
__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/ 


-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.

From Windows to Linux, servers to mobile, InstallShield X is the

one installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: