Snort mailing list archives
Re: http_inspect tuning issue
From: "Castle, Shane" <scastle () bouldercounty org>
Date: Tue, 3 Jul 2012 14:52:05 +0000
Yep. Did exactly that. I stumbled around trying to tune the http_inspect parameters and finally gave up. -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH -----Original Message----- From: Lay, James [mailto:james.lay () wincofoods com] Sent: Tuesday, July 03, 2012 08:26 To: snort-users () lists sourceforge net Subject: Re: [Snort-users] http_inspect tuning issue
-----Original Message----- From: Castle, Shane [mailto:scastle () bouldercounty org] Sent: Monday, July 02, 2012 4:54 PM To: snort-users () lists sourceforge net Subject: [Snort-users] http_inspect tuning issue I am getting thousands of 120:8 alerts (http_inspect: MESSAGE WITH
INVALID CONTENT-LENGTH OR CHUNK SIZE) and I can't
figure out how to tune http_inspect so that they aren't triggered. Any
info on this would be appreciated.
Yes, I've read README:http_inspect. And then I read it again. It
provided no insights.
Snort details: Version 2.9.2.2 IPv6 GRE (Build 121) Using libpcap version 1.2.1 Using PCRE version: 8.12 2011-01-15 Using ZLIB version: 1.2.3.4 -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH
Find your threshold.conf file: suppress gen_id 120, sig_id 8 sighup the snort process and these should go away. James ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- http_inspect tuning issue Castle, Shane (Jul 02)
- Re: http_inspect tuning issue waldo kitty (Jul 02)
- Re: http_inspect tuning issue Castle, Shane (Jul 03)
- Re: http_inspect tuning issue Joel Esler (Jul 03)
- Re: http_inspect tuning issue waldo kitty (Jul 03)
- Re: http_inspect tuning issue Sunny James Fugate (Jul 03)
- Re: http_inspect tuning issue Joel Esler (Jul 04)
- Re: http_inspect tuning issue Castle, Shane (Jul 03)
- Re: http_inspect tuning issue waldo kitty (Jul 02)
- <Possible follow-ups>
- Re: http_inspect tuning issue Lay, James (Jul 03)
- Re: http_inspect tuning issue Castle, Shane (Jul 03)