Snort mailing list archives
Re: snort http_inspect alerts still flooding on snort 2.1.2....
From: Snortty <cwcwcwg () yahoo com>
Date: Fri, 21 May 2004 05:48:58 -0700 (PDT)
Jeremy and All, I was running snort 2.1.1 on Solaris 8, it kicked off 1k+ http_inspect alerts each day, I thought ugrading to 2.1.2 would fix this problem according to message below. I never saw any of http_inspect alerts when running snort 2.0.6. I upgraded my snort to Version 2.1.2 (Build 25), it still shows more than 1k http_inspect related events in the alert file in 10 hours, is it real? how to tune it down, or stop it since it's NOT from a rule file? Any best suggestions to handle it will be much appreciated. Thanks in advance! Sn W. --- Jeremy Hewlett <jh () sourcefire com> wrote:
On Tue, May 11, nyarlathothep () libero it wrote:Hello everyone, I have a question about the use of the Snortspreprocessors:I've installed Snort on a Linux box and I'vetried from outside to do a APACHECHUNKED ENCODE (Bugtraq ID: 5033, CVE:). Snort records in the database only thehttp_inspect data, so : (http_inspect)OVERSIZE CHUNK ENCODING but it dsnt activate the rules, one of those Ithink: This sounds like you've stumbled on a known issue. What version are you using? Snort 2.1.2+ has this fix.
-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users __________________________________ Do you Yahoo!? Yahoo! Domains Claim yours for only $14.70/year http://smallbusiness.promotions.yahoo.com/offer ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort http_inspect nyarlathothep () libero it (May 11)
- Re: snort http_inspect sgt_b (May 11)
- Re: snort http_inspect Jeremy Hewlett (May 11)
- Re: snort http_inspect alerts still flooding on snort 2.1.2.... Snortty (May 21)