Snort mailing list archives
RE: http inspect editing
From: "Chris Vaughan" <chrisv () parkavebank com>
Date: Thu, 24 Feb 2005 16:19:38 -0500
If all you want to do it delete it, add suppress entry to your threshold.conf To find out the gen_id and sig_id, grep for the text in question in gen-msg.map. # grep -i 'double decoding attack' gen-msg.map 119 || 2 || http_inspect: DOUBLE DECODING ATTACK Then, in your threshold.conf, add the following line: suppress gen_id 119, sig_id 2 -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of David Naylor Sent: Thursday, February 24, 2005 3:51 PM To: snort-users () lists sourceforge net Subject: [Snort-users] http inspect editing Hello, Does anyone know how to edit unclassified rules? For example, I would like to edit or delete the rule for "double decoding attack" - http_inspect thanks, David Naylor IT Security Coordinator Texas Trust ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&op=ick _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: http inspect editing Chris Vaughan (Feb 24)
- <Possible follow-ups>
- http inspect editing David Naylor (Feb 25)
- Message not available
- Re: http inspect editing Matt Kettler (Feb 25)
- Message not available