Re: stream5 and http_inspect

[Jack <kingofnerds () gmail com>]

Here is a list of ID's I put into my thresholds.conf file to filter
out some noisy rules
suppress gen_id 120, sig_id 3
suppress gen_id 129, sig_id 15
suppress gen_id 129, sig_id 12
suppress gen_id 129, sig_id 4
suppress gen_id 124, sig_id 9
suppress gen_id 1, sig_id 368
suppress gen_id 1, sig_id 366
suppress gen_id 1, sig_id 408
suppress gen_id 1, sig_id 402
suppress gen_id 1, sig_id 384
suppress gen_id 1, sig_id 396


I think one of those does match some of the stream5 stuff

On Wed, Sep 5, 2012 at 9:58 AM, Joel Esler <jesler () sourcefire com> wrote:
> They sure do, in the preprocessors.rules (if you are using that)
>
> Otherwise, you can suppress them.
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
> On Sep 5, 2012, at 9:49 AM, Pratik Narang <pratik.cse.bits () gmail com> wrote:
>
> > I am getting excessive number of stram5: TCP small segment threshold exceeded, and http_inspect: long header alerts. 
> > I do not want to disable these Preprocessors (stream5 is anyways needed for certain other preprocessors). So what 
> > should I do? I guess preprocessors dont really have a 'rule' which I can just comment so that it wont show up, right?
> >
> > Thanks.
> > ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!



-- 
_____________________________________
 ---- In the end Nerds will Rule the World ----

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!