[Snort-users] Pre-processor Tuning

Bob Wallis gobroncos at ...3420...
Tue Jan 29 06:24:09 EST 2002


unidecode is the one giving me the most alerts on outbound packets at the
moment...

----- Original Message -----
From: "Martin Roesch" <roesch at ...1935...>
To: "Bob Wallis" <gobroncos at ...3420...>;
<snort-users at lists.sourceforge.net>
Sent: Monday, January 28, 2002 9:53 PM
Subject: Re: [Snort-users] Pre-processor Tuning


> Hm, there's likely no easy way to do this unfortunately.  Some of the
> preprocessors take tuning data, which one are you referring to in
> particular?
>
>      -Marty
>
> On 1/28/02 4:23 PM, "Bob Wallis" <gobroncos at ...3420...> wrote:
>
> > It seems that my snort box is doing a good job of decoding packets with,
for
> > instance, the unidecode pre-processor.  However, all the alerts are with
> > sources from my network.  Can I tune that somehow?
> >
> > In rules, it's clear that one defines variables for the source that do
not
> > include one's local network.  Can the same be done for the
pre-processors?
> >
> > I've looked around in confs and docs and I'm not seeing it.
> >
> > Many thanks,
> >
> > B
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
> --
> Martin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999
> Sourcefire: Professional Snort Sensor and Management Console appliances
> roesch at ...1935... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
>





More information about the Snort-users mailing list