Snort mailing list archives
Re: Snort Configurations
From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 23 Sep 2010 15:04:04 -0400
On 9/22/2010 22:45, Alex Tatistcheff wrote:
You can suppress the alerting and not affect the normalization (the important part) of the http_inspect preprocessor by commenting out the rules in the preprocessor.rules file.
ahHa! those would be the HI_CLIENT_* rules for the http_inspect stuff... in my situation, the one i see the most is the OVERSIZE_DIR alert... i handled that one by adjusting oversize_dir_length to 500 in my "server default"... that knocked them way back but i still get some which i suspect are mainly due to advertising urls and some referrers that search engines emit...
Or you can suppress the output in threshold.conf with something like: suppress gen_id 119, sig_id 13 The first option is what I would recommend.
i'm undecided which way i'd go... one may not want to completely terminate certain alerts... i think i'd probably tend to lean more toward suppressing them for specific IPs... too bad it can't be done by domain name but i fully understand why that would be a BadIdea<tm> ;) anyone else care to share their preference/recommendation and the reasoning behind that choice??
Alex Tatistcheff alext () pobox com <mailto:alext () pobox com> The most terrifying words in the English language are, "I'm from the government and I'm here to help." -Ronald Reagan On Wed, Sep 22, 2010 at 1:01 PM, Greg Lane <greglane () laneconstinc com <mailto:greglane () laneconstinc com>> wrote: Well there are 3 types of http_inspects that I am getting mainly. http_inspect: LONG HEADER, http_inspect: NON-RFC DEFINED CHAR, http_inspect: OVERSIZE REQUEST-URI DIRECTORY. Everyone of the sources are from inside my network. Many of them are to amazon EC, quantserve.com <http://quantserve.com>(cookie related), yahoo, google, facebook, and Pandora. So you can see that most of the traffic is legit and it isn't being triggered from outside the domain. I'm just not sure how to cut down on the number of alerts. When I get that done I will move on to the next but I am trying to do this in steps so that I can understand everything that is going on Greg Lane IT Manager Lane Enterprises Email: greglane () laneconstinc com <mailto:greglane () laneconstinc com> Phone: (228)872-2414 -----Original Message----- From: waldo kitty [mailto:wkitty42 () windstream net <mailto:wkitty42 () windstream net>] Sent: Wednesday, September 22, 2010 1:21 PM To: snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] Snort Configurations On 9/22/2010 12:39, Greg Lane wrote: > I’m starting to learn how to tune my Snort install and it is a slow process. I > have alerts like crazy because I know it needs to be tuned and I especially have > a lot of http_inspect alerts coming up. I’ve been reading and from what I can > gather if you don’t have a websever you may not really need this in operation or > am I wrong? the answer is "it depends"... it depends on if you want to monitor outbound http traffic to possibly catch infestations on your network that are reporting in or attacking remote http servers... you might also catch (and be able to prevent) internal machines that are being redirected to driveby sites that would (attempt to) load them with infestation materials... > If I am wrong then what is the best possible solution for me to cut > down most of the alerts which are false positives so to speak or aren’t > dangerous at all? This will probably be one of many questions concerning configs > coming to an email box near you. false positives need to be reported to those who write those rules so they can be looked into and adjusted if necessary...
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort Configurations, (continued)
- Re: Snort Configurations Joel Esler (Sep 23)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Snort Configurations Greg Lane (Sep 23)
- Re: Snort Configurations Joel Esler (Sep 23)
- Re: Snort Configurations Greg Lane (Sep 23)
- Re: Snort Configurations Eoin Miller (Sep 23)
- Re: Snort Configurations Russ Combs (Sep 24)
- Re: Snort Configurations Greg Lane (Sep 24)
- Message not available
- Re: Snort Configurations Greg Lane (Sep 23)
- Re: Snort Configurations waldo kitty (Sep 23)
- Re: Snort Configurations waldo kitty (Sep 23)
- Re: Snort Configurations waldo kitty (Sep 23)