Snort mailing list archives
Re: Problems finding gen_id sig_id
From: Patrick Marquetecken <patrick.marquetecken () pandora be>
Date: Thu, 9 Dec 2004 16:10:37 +0100
On Wed, 8 Dec 2004 11:06:25 -0500 sekure <sekure () gmail com> wrote:
Yep, openaanval currently makes no differentiation betweend gen_id's, i filed a bug in their support forum. In the meantime, http_inspect gen_id is 119, the sig_id for IIS Unicode is 6 Double Decoding is 1 Apache Whitespace is 11 (from preprocessors/HttpInspect/include/hi_eo_events.h)
After changing snort.conf (enabling threshold.conf) and placing following lines in threshold.conf suppress gen_id 119, sig_id 6, track by_dst, ip xxx.xxx.xxx.xxx suppress gen_id 119, sig_id 1, track by_dst, ip xxx.xxx.xxx.xxx suppress gen_id 119, sig_id 11, track by_dst, ip xxx.xxx.xxx.xxx restarting snort, barnyard i still see these "warnings" in openaanval.
On Wed, 8 Dec 2004 16:42:09 +0100, Patrick Marquetecken <patrick.marquetecken () pandora be> wrote:Hi, I cant seem to find the gen_id, sig_id for: http_inspect: IIS UNICODE CODEPOINT http_inspect: DOUBLE DECODING ATTACK http_inspect: APACHE WHITESPACE (TAB) I get a lot of warning/attacs from computers of our external office that are accessing our proxy server. the only way that i can filter them is with the treshold.conf. I'm using openaanval to monitor, but if i ask details on these "attacs" the snort website always say's: "Sorry, no such sid-gen" So who know the wright gen_id and sig_id, i'm using snort 2.2 so is there a problem with openaanval ? Patrick ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problems finding gen_id sig_id Patrick Marquetecken (Dec 08)
- Re: Problems finding gen_id sig_id sekure (Dec 08)
- Re: Problems finding gen_id sig_id Patrick Marquetecken (Dec 09)
- Re: Problems finding gen_id sig_id sekure (Dec 08)