[Snort-users] Snort Configurations

Alex Tatistcheff alext at ...492...
Wed Sep 22 22:45:40 EDT 2010


You can suppress the alerting and not affect the normalization (the
important part) of the http_inspect preprocessor by commenting out the rules
in the preprocessor.rules file.

Or you can suppress the output in threshold.conf with something like:
suppress gen_id 119, sig_id 13

The first option is what I would recommend.

Alex Tatistcheff
alext at ...492...

The most terrifying words in the English language are, "I'm from the
government and I'm here to help." -Ronald Reagan


On Wed, Sep 22, 2010 at 1:01 PM, Greg Lane <greglane at ...14965...>wrote:

> Well there are 3 types of http_inspects that I am getting mainly.
>  http_inspect: LONG HEADER, http_inspect: NON-RFC DEFINED CHAR,
> http_inspect: OVERSIZE REQUEST-URI DIRECTORY.
> Everyone of the sources are from inside my network.  Many of them are to
> amazon EC, quantserve.com(cookie related), yahoo, google, facebook, and
> Pandora.  So you can see that most of the traffic is legit and it isn't
> being triggered from outside the domain.  I'm just not sure how to cut down
> on the number of alerts.  When I get that done I will move on to the next
> but I am trying to do this in steps so that I can understand everything that
> is going on
>
> Greg Lane
> IT Manager
> Lane Enterprises
>
> Email:  greglane at ...14965...
> Phone: (228)872-2414
>
> -----Original Message-----
> From: waldo kitty [mailto:wkitty42 at ...14940...]
> Sent: Wednesday, September 22, 2010 1:21 PM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort Configurations
>
> On 9/22/2010 12:39, Greg Lane wrote:
> > I’m starting to learn how to tune my Snort install and it is a slow
> process.  I
> > have alerts like crazy because I know it needs to be tuned and I
> especially have
> > a lot of http_inspect alerts coming up. I’ve been reading and from what I
> can
> > gather if you don’t have a websever you may not really need this in
> operation or
> > am I wrong?
>
> the answer is "it depends"... it depends on if you want to monitor outbound
> http
> traffic to possibly catch infestations on your network that are reporting
> in or
> attacking remote http servers... you might also catch (and be able to
> prevent)
> internal machines that are being redirected to driveby sites that would
> (attempt
> to) load them with infestation materials...
>
> > If I am wrong then what is the best possible solution for me to cut
> > down most of the alerts which are false positives so to speak or aren’t
> > dangerous at all? This will probably be one of many questions concerning
> configs
> > coming to an email box near you.
>
> false positives need to be reported to those who write those rules so they
> can
> be looked into and adjusted if necessary...
>
>
>
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100922/2977fd60/attachment.html>


More information about the Snort-users mailing list