Snort mailing list archives
Preprocessors
From: Rob Ward <rob.ward () liverpool ac uk>
Date: Fri, 07 Apr 2006 11:05:35 +0100
I've also posted this on the forum so apologies for the cross posting. Can anyone offer some general advice on how to go about dealing with alerts generated by preprocessors? Alerts generated by rules seem to be easier to deal with as I can reference a specific vulnerability/exploit and take it from there.
Also I'm being swamped by http_inspect alerts and I'm pretty sure 99% if not more of these are false positives. How do you determine the gen/sig id of preprocessor alerts for thresholding?
Regards Rob Ward University of LiverpoolComputing Services Department
------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Preprocessors Rob Ward (Apr 07)
- <Possible follow-ups>
- RE: Preprocessors Briggs, Bruce (Apr 07)
- Re: Preprocessors Nigel Houghton (Apr 07)