Snort mailing list archives
RE: Disable alerts from certain machines - Not working for me?
From: Snortty <cwcwcwg () yahoo com>
Date: Fri, 11 Jun 2004 08:53:02 -0700 (PDT)
Andreas and All, Andreas documents below helps me a lot along the way. But here I have a specific issue after I upgraded snort to 2.1.2. It started to show more and more http_inspect alerts everyday. So, I chose to use suppress to try deal with it. I did in the threshold.conf (where my snort.conf resides) as: # suppress gen_id 1, sig_id 1852 suppress gen_id 119, sig_id 12 suppress gen_id 119, sig_id 13 suppress gen_id 119, sig_id 15 suppress gen_id 119, sig_id 16 as in the alert files, it shows hundreds alerts as below: [**] [119:12:1] (http_inspect) APACHE WHITESPACE (TAB) [**] [**] [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER [**] [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**] [**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**] I restarted snort, and let it run for a day, it still shows a lot of same alerts. Anything I didn't do right here please? Please anyone who has some clues here. Thanks again! Snty. --- Andreas_Östling <andreaso () it su se> wrote:
On Thu, 25 Mar 2004, Snortty wrote:Jerry and All, I want to do exactly the below, to disable ANY andALLalerts from certian IPs (dedicated scanners), andIused the tips below by either: pass ip 10.1.1.1 any -> any any... Disabling all alerts from a host and using pass rules to pass all traffic from that host is not the same thing. Pass rules has no effect on alerts generated by preprocessors for example, although you don't mention if that's the case here. Btw, I tried to write a little document describing these things,
http://people.su.se/~andreaso/docs/README.avoiding_alerts
It's still kind of a beta so I'd appreciate any comments/suggestions from anyone. /Andreas
__________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the
one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Disable alerts from certain machines - Not working for me? Snortty (Jun 11)