[Snort-users] http inspect editing

Chris Vaughan chrisv at ...12963...
Thu Feb 24 13:21:37 EST 2005

If all you want to do it delete it, add suppress entry to your threshold.conf

To find out the gen_id and sig_id, grep for the text in question in gen-msg.map.
# grep -i 'double decoding attack' gen-msg.map 
119 || 2 || http_inspect: DOUBLE DECODING ATTACK

Then, in your threshold.conf, add the following line:
suppress gen_id 119, sig_id 2

 -----Original Message-----
From: 	snort-users-admin at lists.sourceforge.net [mailto:snort-users-admin at ...6193...sts.sourceforge.net]  On Behalf Of David Naylor
Sent:	Thursday, February 24, 2005 3:51 PM
To:	snort-users at lists.sourceforge.net
Subject:	[Snort-users] http inspect editing


   Does anyone know how to edit unclassified rules?  For example, I would like to edit or delete the rule for "double decoding attack" - http_inspect


David Naylor
IT Security Coordinator
Texas Trust

SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list