rules explanations

[Sharif Uddin <Sharif.Uddin () spectrumasa com>]

Hello


I am trying to understand these rules, is there a page where it describes each and every rule?

If I google the rule I don't get any explanation of the rule other than suppress or disable them?

I have so far suppressed the following which has reduced the alerts a lot.


#(http_inspect) SIMPLE REQUEST
suppress gen_id 119, sig_id 32, track by_src, ip $HOME_NET

#(http_inspect) UNKNOWN METHOD
suppress gen_id 119, sig_id 31, track by_src, ip $HOME_NET

#(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
suppress gen_id 120, sig_id 8, track by_src, ip $HOME_NET

#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 3, track by_src, ip $HOME_NET

#(http_inspect) DOUBLE DECODING ATTACK
suppress gen_id 119, sig_id 2, track by_src, ip $HOME_NET

#(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
suppress gen_id 120, sig_id 6, track by_src, ip $HOME_NET

#(http_inspect) IIS UNICODE CODEPOINT ENCODING
suppress gen_id 119, sig_id 7, track by_src, ip $HOME_NET

#(http_inspect) BARE BYTE UNICODE ENCODING
suppress gen_id 119, sig_id 4, track by_src, ip $HOME_NET

#(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
suppress gen_id 120, sig_id 9, track by_src, ip $HOME_NET

#(http_inspect) JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED
suppress gen_id 120, sig_id 10, track by_src, ip $HOME_NET

#(http_inspect) UNESCAPED SPACE IN HTTP URI
suppress gen_id 119, sig_id 33, track by_src, ip $HOME_NET

#(http_inspect) U ENCODING
suppress gen_id 119, sig_id 3, track by_src, ip $HOME_NET

#stream5: Reset outside window
suppress gen_id 129, sig_id 15, track by_src, ip $HOME_NET
#suppress gen_id 129, sig_id 15, track by_dst, ip 10.20.30.40/29

#stream5: Bad segment, overlap adjusted size less than/equal 0
suppress gen_id 129, sig_id 5, track by_src, ip $HOME_NET
#suppress gen_id 129, sig_id 5, track by_dst, ip 10.20.30.40/29




Now I get average 34 alerts per hour and would like to know some explanations regarding them. Below are a few I get 
which are common after the supressing from above rules.

NETBIOS SMB write_andx overflow attempt

dnp3: DNP3 Link-Layer Frame was dropped.

http_inspect: UNKNOWN METHOD

http_inspect: NON-RFC DEFINED CHAR

http_inspect: UNESCAPED SPACE IN HTTP URI



Sharif Uddin
Development/Support Engineer
-------------------

Spectrum Geo Ltd
Dukes Court, Duke Street
Woking, Surrey
GU21 5BH
UNITED KINGDOM

Tel: +44 (0) 1483 730201
Fax: +44 (0) 1483 762620

www.spectrumasa.com<http://www.spectrumasa.com/>


IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or 
parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt 
from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, 
copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify 
the sender immediately and delete the original message without making any copies. Copyright in this email and any 
attachments belong to Spectrum Geo Limited.
We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses 
or damages that you may suffer as a result of your receipt of this email.
Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation.
Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered 
office: 95 Aldwych, London WC2B 4JF.

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce.
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!