[Snort-users] drowning in http inspect NON RFC character alerts

John York YorkJ at ...7109...
Wed Feb 4 07:57:01 EST 2004


I'm getting 10-20,000 alerts/day on a small (<500 hosts) network.  I
tried adding no_alerts to my config as follows:

preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
    profile all \
    ports { 80 8080 } \
    no_alerts

That didn't work.  I also tried non_rfc_char {  } in the hopes it
wouldn't check for anything, but it bombs on start.

I was able to use no_alerts on a unique server config with an IP address
and that did work for that one server (a McAfee ePO server--it uses http
to update virus clients and appears to do a lot of non-standard stuff.)
Unfortunately, most of the hits I have left are students in labs going
common sites like AOL.

Thanks
John

John York
Network Engineer
Blue Ridge Community College
1 College Lane, Weyers Cave, VA 24486
540.453.2255





More information about the Snort-users mailing list