Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Preprocessors

From: "Briggs, Bruce" <Bruce.Briggs () suny edu>
Date: Fri, 07 Apr 2006 10:16:59 -0400
Check gen-msg.map in the Snort \etc directory for a list of the SIDs
from the preprocessors.

I suppress a bunch of the HTTP preprocessor messages using threshold.

Bruce 

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rob Ward
Sent: Friday, April 07, 2006 6:06 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Preprocessors

I've also posted this on the forum so apologies for the cross posting.
Can 
anyone offer some general advice on how to go about dealing with alerts 
generated by preprocessors? Alerts generated by rules seem to be easier
to 
deal with as I can reference a specific vulnerability/exploit and take
it 
from there.

Also I'm being swamped by http_inspect alerts and I'm pretty sure 99% if

not more of these are false positives. How do you determine the gen/sig
id 
of preprocessor alerts for thresholding?

Regards

Rob Ward
University of Liverpool
Computing Services Department 


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting
language
that extends applications into web and mobile media. Attend the live
webcast
and join the prime developer group breaking into this new coding
territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: