[Snort-sigs] mystery alerts

James Lay jlay at ...3266...
Thu Aug 30 18:27:23 EDT 2012


On 2012-08-30 16:03, Tony Reusser wrote:
> A question from a snort n00b:
>
> I see lots of alerts in my BASE console that I cannot find a
> corresponding rule for. Some of these alerts are numerous and obvious
> false positives. But I can't find any reference to the alert message
> in any rule file or gen-msg.map or sid-msg.map files in order to
> create a suppress rule or event_filter rule for the gen_id and sig_id
> numbers. I'm perplexed. Alert examples are below:
>
> imap: Unknown IMAP4 command
>
> imap: Unknown IMAP4 response
>
> http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE
>
> I realize these are preprocessor rules, but shouldn't I still see a
> reference in 'preprocessor.rules' ?
>
> Any help or advice would be appreciated.
>
> Tony

Tony,

In the Snort source code there's a directory called doc.  In there you 
will find README.imap and README.http_inspect which should help you out.

James




More information about the Snort-sigs mailing list