[Snort-sigs] mystery alerts
treusser at ...3727...
Thu Aug 30 18:03:54 EDT 2012
A question from a snort n00b:
I see lots of alerts in my BASE console that I cannot find a corresponding
rule for. Some of these alerts are numerous and obvious false positives.
But I can't find any reference to the alert message in any rule file or
gen-msg.map or sid-msg.map files in order to create a suppress rule or
event_filter rule for the gen_id and sig_id numbers. I'm perplexed. Alert
examples are below:
imap: Unknown IMAP4 command
imap: Unknown IMAP4 response
http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE
I realize these are preprocessor rules, but shouldn't I still see a
reference in 'preprocessor.rules' ?
Any help or advice would be appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs