Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Ok, Ok - I know - http_inspect

From: Chris Keladis <chris () cmc optus net au>
Date: Sat, 19 Jun 2004 09:28:26 +1000
At 06:42 AM 6/19/2004, SN ORT wrote:

Hi Marc,


Yes, but is that really gen_id 119? I mean you can
threshold the snort sigs but I don't know that you can
threshold inspect alerts! Anyone try to threshold
decode or inspect alerts? I don't know because I have
not looked at threshold too much, but I do know that
you have to specify a sig_id, which these particular
alerts do not have. Good luck sir!


Even the pre-processors have SIDs, as well as their GID number.
You can threshold (or suppress) specific SIDs generated by the pre-processors (GIDs) with no problem. 

You can find the GID/SID matrix in the snort source in the file generators.h

More details about configuration of thresholding is in the Snort manual:

http://www.snort.org/docs/snort_manual/node18.html




Regards,
Chris. 


-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: