Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: http inspect editing

From: "Chris Vaughan" <chrisv () parkavebank com>
Date: Thu, 24 Feb 2005 16:19:38 -0500
If all you want to do it delete it, add suppress entry to your threshold.conf

To find out the gen_id and sig_id, grep for the text in question in gen-msg.map.
# grep -i 'double decoding attack' gen-msg.map 
119 || 2 || http_inspect: DOUBLE DECODING ATTACK

Then, in your threshold.conf, add the following line:
suppress gen_id 119, sig_id 2





 -----Original Message-----
From:   snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]  On Behalf Of 
David Naylor
Sent:   Thursday, February 24, 2005 3:51 PM
To:     snort-users () lists sourceforge net
Subject:        [Snort-users] http inspect editing

Hello,

   Does anyone know how to edit unclassified rules?  For example, I would like to edit or delete the rule for "double 
decoding attack" - http_inspect

thanks,

David Naylor
IT Security Coordinator
Texas Trust



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=ick
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: