[Snort-users] Pre-processor Tuning

Martin Roesch roesch at ...1935...
Tue Jan 29 19:19:04 EST 2002


Try deactivating it and just using http_decode, their functionality overlaps
anyway...

    -Marty

On 1/29/02 9:23 AM, "Bob Wallis" <gobroncos at ...3420...> wrote:

> unidecode is the one giving me the most alerts on outbound packets at the
> moment...
> 
> ----- Original Message -----
> From: "Martin Roesch" <roesch at ...1935...>
> To: "Bob Wallis" <gobroncos at ...3420...>;
> <snort-users at lists.sourceforge.net>
> Sent: Monday, January 28, 2002 9:53 PM
> Subject: Re: [Snort-users] Pre-processor Tuning
> 
> 
>> Hm, there's likely no easy way to do this unfortunately.  Some of the
>> preprocessors take tuning data, which one are you referring to in
>> particular?
>> 
>>      -Marty
>> 
>> On 1/28/02 4:23 PM, "Bob Wallis" <gobroncos at ...3420...> wrote:
>> 
>>> It seems that my snort box is doing a good job of decoding packets with,
> for
>>> instance, the unidecode pre-processor.  However, all the alerts are with
>>> sources from my network.  Can I tune that somehow?
>>> 
>>> In rules, it's clear that one defines variables for the source that do
> not
>>> include one's local network.  Can the same be done for the
> pre-processors?
>>> 
>>> I've looked around in confs and docs and I'm not seeing it.
>>> 
>>> Many thanks,
>>> 
>>> B
>>> 
>>> 
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> 
>> 
>> --
>> Martin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999
>> Sourcefire: Professional Snort Sensor and Management Console appliances
>> roesch at ...1935... - http://www.sourcefire.com
>> Snort: Open Source Network IDS - http://www.snort.org
>> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 

-- 
Martin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list