Snort mailing list archives
Re: Preprocessors
From: Nigel Houghton <nigel () sourcefire com>
Date: Sat, 8 Apr 2006 01:23:30 -0500
1. Preprocessors (Rob Ward) 2. RE: Preprocessors (Briggs, Bruce) --__--__-- Message: 1 Date: Fri, 07 Apr 2006 11:05:35 +0100 From: Rob Ward <rob.ward () liverpool ac uk> To: snort-users () lists sourceforge net Subject: [Snort-users] Preprocessors I've also posted this on the forum so apologies for the cross posting. Can anyone offer some general advice on how to go about dealing with alerts generated by preprocessors? Alerts generated by rules seem to be easier to deal with as I can reference a specific vulnerability/exploit and take it from there. Also I'm being swamped by http_inspect alerts and I'm pretty sure 99% if not more of these are false positives. How do you determine the gen/sig id of preprocessor alerts for thresholding? Regards Rob Ward University of Liverpool Computing Services Department
Your starting point should be the README documents for the pre-processors that can be found in the doc directory of the snort source. You will find a lot of information regarding tuning and with http_inspect especially, you will see options to turn off certain events.
Message: 2 Date: Fri, 07 Apr 2006 10:16:59 -0400 From: "Briggs, Bruce" <Bruce.Briggs () suny edu> Subject: RE: [Snort-users] Preprocessors To: Rob Ward <rob.ward () liverpool ac uk>, snort-users () lists sourceforge net Check gen-msg.map in the Snort \etc directory for a list of the SIDs from the preprocessors. I suppress a bunch of the HTTP preprocessor messages using threshold.
This is possible, but first start with tuning the pre-processor by investigating all options available in the README for that pre-processor. +--------------------------------------------------------------------+ Nigel Houghton Research Engineer Sourcefire Inc. Vulnerability Research Team There is no theory of evolution, just a list of creatures Vin Diesel allows to live. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Preprocessors Rob Ward (Apr 07)
- <Possible follow-ups>
- RE: Preprocessors Briggs, Bruce (Apr 07)
- Re: Preprocessors Nigel Houghton (Apr 07)