[Snort-sigs] mystery alerts
jlay at ...3266...
Thu Aug 30 18:27:23 EDT 2012
On 2012-08-30 16:03, Tony Reusser wrote:
> A question from a snort n00b:
> I see lots of alerts in my BASE console that I cannot find a
> corresponding rule for. Some of these alerts are numerous and obvious
> false positives. But I can't find any reference to the alert message
> in any rule file or gen-msg.map or sid-msg.map files in order to
> create a suppress rule or event_filter rule for the gen_id and sig_id
> numbers. I'm perplexed. Alert examples are below:
> imap: Unknown IMAP4 command
> imap: Unknown IMAP4 response
> http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE
> I realize these are preprocessor rules, but shouldn't I still see a
> reference in 'preprocessor.rules' ?
> Any help or advice would be appreciated.
In the Snort source code there's a directory called doc. In there you
will find README.imap and README.http_inspect which should help you out.
More information about the Snort-sigs