Snort mailing list archives

http_decode alerts bypassing "pass" rules

From: Pete Philips <pete () s3 integralis co uk>
Date: Wed, 09 May 2001 17:22:50 +0100

I have several "pass" rules in my snort.conf (before the
http_decode preprocessor) which ignore all traffic to and
form certain machines which are regularly used to test
exploits etc.

This works fine and no alerts are generated by these hosts
except when it is generated by http_decode such as:

May  9 15:59:44 spock snort: spp_http_decode: IIS Unicode attack detected:
10.1.1.31:1312 -> 192.168.1.1:80

Is there a way to also silence these alerts for particular hosts?

Thanks!


Pete.

PS. I am running Snort 1.7 on OpenBSD.

 ---------------------------------------------------------------
|   Pete Philips                                           \|/  |
|   Integralis S3 Team                                      O   |
|   E-mail:  pete () s3 integralis co uk                           |
|   Phone:   +44 118 930 6060                                   |
|   PGP Key: http://www.s3.integralis.co.uk/pgp/pete.gpg        |
 ---------------------------------------------------------------


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

http_decode alerts bypassing "pass" rules Pete Philips (May 09)
- Re: http_decode alerts bypassing "pass" rules Martin Roesch (May 22)
- <Possible follow-ups>
- Re: http_decode alerts bypassing "pass" rules Neil Dickey (May 09)