[Snort-sigs] http_inspect pre-processor tuning!

CunningPike cunningpike at ...2420...
Tue Sep 2 16:43:25 EDT 2008


Hi Abhi,

I simply use 'no_alerts' with http_inspect - the pre-proc is required 
for many HTTP rules and shouldn't be disabled, but I don't need the 
alerts it generates. YMMV.

CP

Abhi S wrote:
> Hi,
> 
>  I'm getting a lot of false positives generated by the http_Inspect 
> pre-processor. This is legitimate traffic coming from a single IP 
> address that I would like to tune out. However I cannot find the correct 
> option to add into the snort.conf file that will tell http_inspect not 
> generate alerts for that specific ip address.
> 
> Does anyone know of a way to do this and the correct statement to add 
> into the snort.conf file?
> 
> Thanks
> /Abhi
> 
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list