Snort mailing list archives

Re: Preprocessors

From: Nigel Houghton <nigel () sourcefire com>
Date: Sat, 8 Apr 2006 01:23:30 -0500

   1. Preprocessors (Rob Ward)
   2. RE: Preprocessors (Briggs, Bruce)

--__--__--

Message: 1
Date: Fri, 07 Apr 2006 11:05:35 +0100
From: Rob Ward <rob.ward () liverpool ac uk>
To: snort-users () lists sourceforge net
Subject: [Snort-users] Preprocessors

I've also posted this on the forum so apologies for the cross posting. Can 
anyone offer some general advice on how to go about dealing with alerts 
generated by preprocessors? Alerts generated by rules seem to be easier to 
deal with as I can reference a specific vulnerability/exploit and take it 
from there.

Also I'm being swamped by http_inspect alerts and I'm pretty sure 99% if 
not more of these are false positives. How do you determine the gen/sig id 
of preprocessor alerts for thresholding?

Regards

Rob Ward
University of Liverpool
Computing Services Department


Your starting point should be the README documents for the
pre-processors that can be found in the doc directory of the snort
source. You will find a lot of information regarding tuning and with
http_inspect especially, you will see options to turn off certain
events.

Message: 2
Date: Fri, 07 Apr 2006 10:16:59 -0400
From: "Briggs, Bruce" <Bruce.Briggs () suny edu>
Subject: RE: [Snort-users] Preprocessors
To: Rob Ward <rob.ward () liverpool ac uk>, snort-users () lists sourceforge net

Check gen-msg.map in the Snort \etc directory for a list of the SIDs
from the preprocessors.

I suppress a bunch of the HTTP preprocessor messages using threshold.


This is possible, but first start with tuning the pre-processor by
investigating all options available in the README for that
pre-processor.

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

         There is no theory of evolution, just a list
            of creatures Vin Diesel allows to live.


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Preprocessors Rob Ward (Apr 07)
- <Possible follow-ups>
- RE: Preprocessors Briggs, Bruce (Apr 07)
- Re: Preprocessors Nigel Houghton (Apr 07)