[Snort-users] Suppress OVERSIZE REQUEST-URI DIRECTORY alerts not working?

sekure sekure at ...11827...
Tue Sep 28 08:16:17 EDT 2004


That's an http_inspect alert, gen_id 119, not 1.

On Tue, 28 Sep 2004 06:59:27 -0700 (PDT), Aaron Giuoco
<agiuoco at ...131...> wrote:
> I was getting a lot of these OVERSIZE REQUEST-URI
> DIRECTORY alerts when users searched eBay.  So I
> decided to suppress all such alerts with the following
> suppression rules in my threshold.conf file.
> 
> # suppress all OVERSIZE REQUEST-URI DIRECTORY alerts
> going to eBay
> suppress gen_id 1, sig_id 15, track by_dst, ip
> 66.135.192.0/19
> suppress gen_id 1, sig_id 15, track by_dst, ip
> 216.113.160.0/19
> 
> But I am still getting alerts to these IPs.  Any ideas
> as to why?
> 
> AG
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - 50x more storage than other providers!
> http://promotions.yahoo.com/new_mail
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> Project Admins to receive an Apple iPod Mini FREE for your judgement on
> who ports your project to Linux PPC the best. Sponsored by IBM.
> Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list