Snort mailing list archives
Re: stream5 and http_inspect
From: Jack <kingofnerds () gmail com>
Date: Wed, 5 Sep 2012 10:42:35 -0400
Here is a list of ID's I put into my thresholds.conf file to filter out some noisy rules suppress gen_id 120, sig_id 3 suppress gen_id 129, sig_id 15 suppress gen_id 129, sig_id 12 suppress gen_id 129, sig_id 4 suppress gen_id 124, sig_id 9 suppress gen_id 1, sig_id 368 suppress gen_id 1, sig_id 366 suppress gen_id 1, sig_id 408 suppress gen_id 1, sig_id 402 suppress gen_id 1, sig_id 384 suppress gen_id 1, sig_id 396 I think one of those does match some of the stream5 stuff On Wed, Sep 5, 2012 at 9:58 AM, Joel Esler <jesler () sourcefire com> wrote:
They sure do, in the preprocessors.rules (if you are using that) Otherwise, you can suppress them. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Sep 5, 2012, at 9:49 AM, Pratik Narang <pratik.cse.bits () gmail com> wrote:I am getting excessive number of stram5: TCP small segment threshold exceeded, and http_inspect: long header alerts. I do not want to disable these Preprocessors (stream5 is anyways needed for certain other preprocessors). So what should I do? I guess preprocessors dont really have a 'rule' which I can just comment so that it wont show up, right? Thanks. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- _____________________________________ ---- In the end Nerds will Rule the World ---- ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- stream5 and http_inspect Pratik Narang (Sep 05)
- Re: stream5 and http_inspect Joel Esler (Sep 05)
- Re: stream5 and http_inspect Jack (Sep 05)
- Re: stream5 and http_inspect Joel Esler (Sep 05)