[Snort-users] http_decode alerts bypassing "pass" rules

Pete Philips pete at ...639...
Wed May 9 12:22:50 EDT 2001


I have several "pass" rules in my snort.conf (before the
http_decode preprocessor) which ignore all traffic to and
form certain machines which are regularly used to test
exploits etc.

This works fine and no alerts are generated by these hosts
except when it is generated by http_decode such as:

May  9 15:59:44 spock snort: spp_http_decode: IIS Unicode attack detected:
10.1.1.31:1312 -> 192.168.1.1:80

Is there a way to also silence these alerts for particular hosts?

Thanks!


Pete.

PS. I am running Snort 1.7 on OpenBSD.

  ---------------------------------------------------------------
|   Pete Philips                                           \|/  |
|   Integralis S3 Team                                      O   |
|   E-mail:  pete at ...639...                           |
|   Phone:   +44 118 930 6060                                   |
|   PGP Key: http://www.s3.integralis.co.uk/pgp/pete.gpg        |
  ---------------------------------------------------------------





More information about the Snort-users mailing list