[Snort-users] http inspect editing

Chris Vaughan chrisv at ...12963...
Thu Feb 24 13:21:37 EST 2005


If all you want to do it delete it, add suppress entry to your threshold.conf

To find out the gen_id and sig_id, grep for the text in question in gen-msg.map.
# grep -i 'double decoding attack' gen-msg.map 
119 || 2 || http_inspect: DOUBLE DECODING ATTACK

Then, in your threshold.conf, add the following line:
suppress gen_id 119, sig_id 2





 -----Original Message-----
From: 	snort-users-admin at lists.sourceforge.net [mailto:snort-users-admin at ...6193...sts.sourceforge.net]  On Behalf Of David Naylor
Sent:	Thursday, February 24, 2005 3:51 PM
To:	snort-users at lists.sourceforge.net
Subject:	[Snort-users] http inspect editing

Hello,

   Does anyone know how to edit unclassified rules?  For example, I would like to edit or delete the rule for "double decoding attack" - http_inspect

thanks,

David Naylor
IT Security Coordinator
Texas Trust



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=ick
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users






More information about the Snort-users mailing list