Snort mailing list archives

Re: IPv6 Alerts documentation & Disable alerts

From: Gabriel Corre <gabriel.corre () fr clara net>
Date: Wed, 12 Aug 2015 10:07:00 +0000

Got it !
Yeah it is GID 116 and SID 278/281. These alerts are in "decoder.rules" and the details are in "gen-msg.map".
Comment or Uncomment "include preproc_rules/decoder.rules" seems to be ineffective since I'm using pulledpork. I saw in 
the pulledpork.conf that all rules are regroup in "snort.rules" so I commented there the alerts I wanted to disabled.

Thanks for your help!

--

Gabriel Corré
Élève ngénieur Réseaux, Ops - Core Infrastructure

De : Al Lewis (allewi) [mailto:allewi () cisco com]
Envoyé : mercredi 12 août 2015 11:41
À : Gabriel Corre <gabriel.corre () fr clara net>
Cc : snort-users () lists sourceforge net
Objet : RE: IPv6 Alerts documentation & Disable alerts

Hello,

These are decoder rules (GID 116). You should have an include  in your snort.conf for a decoder.rules file:

"include preproc_rules/decoder.rules"

The decoder.rules file is where you want to look.


Hope this helps.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Gabriel Corre [mailto:gabriel.corre () fr clara net]
Sent: Wednesday, August 12, 2015 3:47 AM
To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: [Snort-users] IPv6 Alerts documentation & Disable alerts

Hello,
I'm running snort 2.9.7.5 on a VPS (Debian 7.5).
I'm just trying some basics config and I'm receiving mainly this two alerts :

  *   [**] [116:278:1] (snort_decoder) WARNING: IPv6 packet with reserved multicast destination address [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]header includes an invalid value for the "next header" 
field
  *   [**] [116:281:1] (snort_decoder) WARNING: IPv6 header includes an invalid value for the "next header" field [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]
I failed to find where these alerts are described and also where to disable them.
I had "config ipv6_frag: bsd_icmp_frag_alert off, bad_ipv6_frag_alert off" into snort.conf but it didn't disable the 
alerts.
Any ideas?
Finally, [116:278:1] stand for [gid,sid,rev] ?
Regards,

--

Gabriel Corré

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

IPv6 Alerts documentation & Disable alerts Gabriel Corre (Aug 12)
- Re: IPv6 Alerts documentation & Disable alerts Al Lewis (allewi) (Aug 12)
  - Re: IPv6 Alerts documentation & Disable alerts Gabriel Corre (Aug 12)