Snort mailing list archives
Re: Pre-processor Tuning
From: Martin Roesch <roesch () sourcefire com>
Date: Tue, 29 Jan 2002 22:18:27 -0500
Try deactivating it and just using http_decode, their functionality overlaps
anyway...
-Marty
On 1/29/02 9:23 AM, "Bob Wallis" <gobroncos () chartermi net> wrote:
unidecode is the one giving me the most alerts on outbound packets at the moment... ----- Original Message ----- From: "Martin Roesch" <roesch () sourcefire com> To: "Bob Wallis" <gobroncos () chartermi net>; <snort-users () lists sourceforge net> Sent: Monday, January 28, 2002 9:53 PM Subject: Re: [Snort-users] Pre-processor TuningHm, there's likely no easy way to do this unfortunately. Some of the preprocessors take tuning data, which one are you referring to in particular? -Marty On 1/28/02 4:23 PM, "Bob Wallis" <gobroncos () chartermi net> wrote:It seems that my snort box is doing a good job of decoding packets with,forinstance, the unidecode pre-processor. However, all the alerts are with sources from my network. Can I tune that somehow? In rules, it's clear that one defines variables for the source that donotinclude one's local network. Can the same be done for thepre-processors?I've looked around in confs and docs and I'm not seeing it. Many thanks, B _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Martin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Pre-processor Tuning Bob Wallis (Jan 28)
- Re: Pre-processor Tuning Martin Roesch (Jan 28)
- Re: Pre-processor Tuning Bob Wallis (Jan 29)
- Re: Pre-processor Tuning Martin Roesch (Jan 29)
- Re: Pre-processor Tuning Bob Wallis (Jan 29)
- Re: Pre-processor Tuning Martin Roesch (Jan 28)