Snort mailing list archives

Re: Snort Configurations


From: Alex Tatistcheff <alext () pobox com>
Date: Wed, 22 Sep 2010 20:45:40 -0600

You can suppress the alerting and not affect the normalization (the
important part) of the http_inspect preprocessor by commenting out the rules
in the preprocessor.rules file.

Or you can suppress the output in threshold.conf with something like:
suppress gen_id 119, sig_id 13

The first option is what I would recommend.

Alex Tatistcheff
alext () pobox com

The most terrifying words in the English language are, "I'm from the
government and I'm here to help." -Ronald Reagan


On Wed, Sep 22, 2010 at 1:01 PM, Greg Lane <greglane () laneconstinc com>wrote:

Well there are 3 types of http_inspects that I am getting mainly.
 http_inspect: LONG HEADER, http_inspect: NON-RFC DEFINED CHAR,
http_inspect: OVERSIZE REQUEST-URI DIRECTORY.
Everyone of the sources are from inside my network.  Many of them are to
amazon EC, quantserve.com(cookie related), yahoo, google, facebook, and
Pandora.  So you can see that most of the traffic is legit and it isn't
being triggered from outside the domain.  I'm just not sure how to cut down
on the number of alerts.  When I get that done I will move on to the next
but I am trying to do this in steps so that I can understand everything that
is going on

Greg Lane
IT Manager
Lane Enterprises

Email:  greglane () laneconstinc com
Phone: (228)872-2414

-----Original Message-----
From: waldo kitty [mailto:wkitty42 () windstream net]
Sent: Wednesday, September 22, 2010 1:21 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort Configurations

On 9/22/2010 12:39, Greg Lane wrote:
I’m starting to learn how to tune my Snort install and it is a slow
process.  I
have alerts like crazy because I know it needs to be tuned and I
especially have
a lot of http_inspect alerts coming up. I’ve been reading and from what I
can
gather if you don’t have a websever you may not really need this in
operation or
am I wrong?

the answer is "it depends"... it depends on if you want to monitor outbound
http
traffic to possibly catch infestations on your network that are reporting
in or
attacking remote http servers... you might also catch (and be able to
prevent)
internal machines that are being redirected to driveby sites that would
(attempt
to) load them with infestation materials...

If I am wrong then what is the best possible solution for me to cut
down most of the alerts which are false positives so to speak or aren’t
dangerous at all? This will probably be one of many questions concerning
configs
coming to an email box near you.

false positives need to be reported to those who write those rules so they
can
be looked into and adjusted if necessary...



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread: