[Snort-users] drowning in http inspect NON RFC character alerts

Jeremy Hewlett jh at ...1935...
Thu Feb 5 11:11:11 EST 2004


On Wed, Feb 04, John York wrote:
> I'm getting 10-20,000 alerts/day on a small (<500 hosts) network.  I
> tried adding no_alerts to my config as follows:

Snort v2.1.1-RC1 fixes the issue of no_alerts not quieting
non_rfc_chars.  Also, non_rfc_chars is no longer enabled in the
default profiles (so if you want it, you need to specifically include
it).
 
> That didn't work.  I also tried non_rfc_char {  } in the hopes it
> wouldn't check for anything, but it bombs on start.

You should just remove that option completely if you don't want it.




More information about the Snort-users mailing list