[Snort-sigs] http_inspect pre-processor tuning!

Rodrigo Montoro(Sp0oKeR) spooker at ...2420...
Tue Sep 2 16:44:55 EDT 2008


You could use supression for http_inspect alerts for those IP's.


Regards,

On Tue, Sep 2, 2008 at 5:43 PM, CunningPike <cunningpike at ...2420...> wrote:
> Hi Abhi,
>
> I simply use 'no_alerts' with http_inspect - the pre-proc is required
> for many HTTP rules and shouldn't be disabled, but I don't need the
> alerts it generates. YMMV.
>
> CP
>
> Abhi S wrote:
>> Hi,
>>
>>  I'm getting a lot of false positives generated by the http_Inspect
>> pre-processor. This is legitimate traffic coming from a single IP
>> address that I would like to tune out. However I cannot find the correct
>> option to add into the snort.conf file that will tell http_inspect not
>> generate alerts for that specific ip address.
>>
>> Does anyone know of a way to do this and the correct statement to add
>> into the snort.conf file?
>>
>> Thanks
>> /Abhi
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>



-- 
===========================
Rodrigo Montoro (Sp0oKeR)
Security Analyst
SnortCP / RHCE / LPIC-I / MCSO
http://www.spooker.com.br
http://www.snort.org.br
http://www.linkedin.com/in/spooker
===========================




More information about the Snort-sigs mailing list