Snort mailing list archives
Re: IPv6 Alerts documentation & Disable alerts
From: Gabriel Corre <gabriel.corre () fr clara net>
Date: Wed, 12 Aug 2015 10:07:00 +0000
Got it ! Yeah it is GID 116 and SID 278/281. These alerts are in "decoder.rules" and the details are in "gen-msg.map". Comment or Uncomment "include preproc_rules/decoder.rules" seems to be ineffective since I'm using pulledpork. I saw in the pulledpork.conf that all rules are regroup in "snort.rules" so I commented there the alerts I wanted to disabled. Thanks for your help! -- Gabriel Corré Élève ngénieur Réseaux, Ops - Core Infrastructure De : Al Lewis (allewi) [mailto:allewi () cisco com] Envoyé : mercredi 12 août 2015 11:41 À : Gabriel Corre <gabriel.corre () fr clara net> Cc : snort-users () lists sourceforge net Objet : RE: IPv6 Alerts documentation & Disable alerts Hello, These are decoder rules (GID 116). You should have an include in your snort.conf for a decoder.rules file: "include preproc_rules/decoder.rules" The decoder.rules file is where you want to look. Hope this helps. Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com<mailto:allewi () cisco com> From: Gabriel Corre [mailto:gabriel.corre () fr clara net] Sent: Wednesday, August 12, 2015 3:47 AM To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: [Snort-users] IPv6 Alerts documentation & Disable alerts Hello, I'm running snort 2.9.7.5 on a VPS (Debian 7.5). I'm just trying some basics config and I'm receiving mainly this two alerts : * [**] [116:278:1] (snort_decoder) WARNING: IPv6 packet with reserved multicast destination address [**] [Classification: Generic Protocol Command Decode] [Priority: 3]header includes an invalid value for the "next header" field * [**] [116:281:1] (snort_decoder) WARNING: IPv6 header includes an invalid value for the "next header" field [**] [Classification: Generic Protocol Command Decode] [Priority: 3] I failed to find where these alerts are described and also where to disable them. I had "config ipv6_frag: bsd_icmp_frag_alert off, bad_ipv6_frag_alert off" into snort.conf but it didn't disable the alerts. Any ideas? Finally, [116:278:1] stand for [gid,sid,rev] ? Regards, -- Gabriel Corré
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- IPv6 Alerts documentation & Disable alerts Gabriel Corre (Aug 12)
- Re: IPv6 Alerts documentation & Disable alerts Al Lewis (allewi) (Aug 12)
- Re: IPv6 Alerts documentation & Disable alerts Gabriel Corre (Aug 12)
- Re: IPv6 Alerts documentation & Disable alerts Al Lewis (allewi) (Aug 12)