Snort mailing list archives
Re: mystery alerts
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 30 Aug 2012 16:27:23 -0600
On 2012-08-30 16:03, Tony Reusser wrote:
A question from a snort n00b: I see lots of alerts in my BASE console that I cannot find a corresponding rule for. Some of these alerts are numerous and obvious false positives. But I can't find any reference to the alert message in any rule file or gen-msg.map or sid-msg.map files in order to create a suppress rule or event_filter rule for the gen_id and sig_id numbers. I'm perplexed. Alert examples are below: imap: Unknown IMAP4 command imap: Unknown IMAP4 response http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE I realize these are preprocessor rules, but shouldn't I still see a reference in 'preprocessor.rules' ? Any help or advice would be appreciated. Tony
Tony, In the Snort source code there's a directory called doc. In there you will find README.imap and README.http_inspect which should help you out. James ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- mystery alerts Tony Reusser (Aug 30)
- Re: mystery alerts James Lay (Aug 30)