Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: http_inspect message

From: Martin Holste <mcholste () gmail com>
Date: Sun, 18 Sep 2011 13:51:35 -0500
No, you are not under DOS attack.  This is a very common message from
the http preprocessor.  Actually, the http preproc will create many,
many messages like this, almost all of which can be safely ignored
until you are more familiar with Snort.  I recommend that you ignore
alerts from all of the preprocessors until *AFTER* you have mastered
the regular rules.  By this I mean worry first about any signatures
which have the "trojan-activity" classification or are SQL injection
signatures.  Also, take this opportunity to add a heartbeat signature
so you'll know for sure if you're dropping packets (you can safely
skip this step if you are monitoring a link with < 100 Mbit/sec).
Once you've your normal ruleset tuned and have responded to the
malware  infections that you probably just found now that you've got
something other than AV keeping an eye on things, you can proceed to
check out the alerts generated by the preprocessors.

On Sun, Sep 18, 2011 at 12:10 PM, Mario Remy Almeida
<mario.almeida () gmail com> wrote:

Dear All,

I am new to snort.
I get lots of this message

[119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Classification:
Potentially Bad Traffic] [Priority: 2] {TCP}

Dose it mean I am in kind of DOS attack? can someone give me some tips
if I need to analyze it more or should I block such IPs?

------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
http://p.sf.net/sfu/rim-devcon-copy2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
http://p.sf.net/sfu/rim-devcon-copy2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: