Re: mystery alerts

[James Lay <jlay () slave-tothe-box net>]

On 2012-08-30 16:03, Tony Reusser wrote:
> A question from a snort n00b:
>
> I see lots of alerts in my BASE console that I cannot find a
> corresponding rule for. Some of these alerts are numerous and obvious
> false positives. But I can't find any reference to the alert message
> in any rule file or gen-msg.map or sid-msg.map files in order to
> create a suppress rule or event_filter rule for the gen_id and sig_id
> numbers. I'm perplexed. Alert examples are below:
>
> imap: Unknown IMAP4 command
>
> imap: Unknown IMAP4 response
>
> http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE
>
> I realize these are preprocessor rules, but shouldn't I still see a
> reference in 'preprocessor.rules' ?
>
> Any help or advice would be appreciated.
>
> Tony

Tony,

In the Snort source code there's a directory called doc.  In there you 
will find README.imap and README.http_inspect which should help you out.

James

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!