Snort mailing list archives
Re: http inspect editing
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 24 Feb 2005 16:46:38 -0500
At 03:51 PM 2/24/2005, David Naylor wrote:
Does anyone know how to edit unclassified rules? For example, I would like to edit or delete the rule for "double decoding attack" - http_inspect
That's not a rule at all, it's an alert generated by a preprocessor.Since it's not a rule, you'd need to modify the source code for http_inspect and recompile snort to do any kind of edit.
However, you can change the parameters you pass to http_inspect in your snort.conf to disable this detection. Just add "double_decode no" to your profile in snort.conf.
My personaly approach is to not have any "default" http_inspect. I only run http_inspect against my specific webservers.
i.e: preprocessor http_inspect_server: server 208.39.141.94 \ profile all ports <censored rest of config>See the README.http_inspect that comes with the snort tarball for a bit more detail on what kinds of things you can tell http_inspect to do or not do.
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: http inspect editing Chris Vaughan (Feb 24)
- <Possible follow-ups>
- http inspect editing David Naylor (Feb 25)
- Message not available
- Re: http inspect editing Matt Kettler (Feb 25)
- Message not available