[Snort-users] FW: Snort Configurations

Greg Lane greglane at ...14965...
Thu Sep 23 10:52:04 EDT 2010



Greg Lane
IT Manager
Lane Enterprises

Email:  greglane at ...14965...
Phone: (228)872-2414


-----Original Message-----
From: Greg Lane [mailto:greglane at ...14965...] 
Sent: Thursday, September 23, 2010 9:50 AM
To: 'Joel Esler'
Subject: RE: [Snort-users] Snort Configurations

I did twice.  I killed both the snort and barnyard2 processes and started
them again in the terminal and read barnyard2's output and the rule I
commented out in the preprocessor.rules file is still there.  In fact I
commented out all the http rules in the preprocessor.rules file and still
getting the alerts.  I looked in the gen-msg file and wonder if I should
comment those out also but they shouldn't even be getting to that point if
my logic is correct because the rule shouldn't be alerting. 

Greg Lane
IT Manager
Lane Enterprises

Email:  greglane at ...14965...
Phone: (228)872-2414


-----Original Message-----
From: Joel Esler [mailto:jesler at ...1935...] 
Sent: Thursday, September 23, 2010 9:45 AM
To: Greg Lane
Cc: Alex Tatistcheff; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort Configurations

"Or you can suppress the output in threshold.conf with something like:
suppress gen_id 119, sig_id 13"


Make sure you restart Snort after the changes.

J

On Thu, Sep 23, 2010 at 10:22 AM, Greg Lane <greglane at ...14965...>
wrote:
> I’m commenting out the rules in the preprocessor.rules file and I’m still
> getting the alert.  Gen_id 119  sid 19 long header.  Why is it still
> alerting?
>
>
>
> Greg Lane
>
> IT Manager
>
> Lane Enterprises
>
>
>
> Email:  greglane at ...14965...
>
> Phone: (228)872-2414
>
>
>
> From: alex.tatistcheff at ...11827... [mailto:alex.tatistcheff at ...11827...] On
> Behalf Of Alex Tatistcheff
> Sent: Wednesday, September 22, 2010 9:46 PM
> To: Greg Lane
> Cc: wkitty42 at ...14940...; snort-users at lists.sourceforge.net
>
> Subject: Re: [Snort-users] Snort Configurations
>
>
>
> You can suppress the alerting and not affect the normalization (the
> important part) of the http_inspect preprocessor by commenting out the
rules
> in the preprocessor.rules file.
>
> Or you can suppress the output in threshold.conf with something like:
> suppress gen_id 119, sig_id 13
>
> The first option is what I would recommend.
>
> Alex Tatistcheff
> alext at ...492...
>
> The most terrifying words in the English language are, "I'm from the
> government and I'm here to help." -Ronald Reagan
>
> On Wed, Sep 22, 2010 at 1:01 PM, Greg Lane <greglane at ...14965...>
> wrote:
>
> Well there are 3 types of http_inspects that I am getting mainly.
>  http_inspect: LONG HEADER, http_inspect: NON-RFC DEFINED CHAR,
> http_inspect: OVERSIZE REQUEST-URI DIRECTORY.
> Everyone of the sources are from inside my network.  Many of them are to
> amazon EC, quantserve.com(cookie related), yahoo, google, facebook, and
> Pandora.  So you can see that most of the traffic is legit and it isn't
> being triggered from outside the domain.  I'm just not sure how to cut
down
> on the number of alerts.  When I get that done I will move on to the next
> but I am trying to do this in steps so that I can understand everything
that
> is going on
>
> Greg Lane
> IT Manager
> Lane Enterprises
>
> Email:  greglane at ...14965...
> Phone: (228)872-2414
>
> -----Original Message-----
> From: waldo kitty [mailto:wkitty42 at ...14940...]
> Sent: Wednesday, September 22, 2010 1:21 PM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort Configurations
>
> On 9/22/2010 12:39, Greg Lane wrote:
>> I’m starting to learn how to tune my Snort install and it is a slow
>> process.  I
>> have alerts like crazy because I know it needs to be tuned and I
>> especially have
>> a lot of http_inspect alerts coming up. I’ve been reading and from what I
>> can
>> gather if you don’t have a websever you may not really need this in
>> operation or
>> am I wrong?
>
> the answer is "it depends"... it depends on if you want to monitor
outbound
> http
> traffic to possibly catch infestations on your network that are reporting
in
> or
> attacking remote http servers... you might also catch (and be able to
> prevent)
> internal machines that are being redirected to driveby sites that would
> (attempt
> to) load them with infestation materials...
>
>> If I am wrong then what is the best possible solution for me to cut
>> down most of the alerts which are false positives so to speak or aren’t
>> dangerous at all? This will probably be one of many questions concerning
>> configs
>> coming to an email box near you.
>
> false positives need to be reported to those who write those rules so they
> can
> be looked into and adjusted if necessary...
>
>
>
----------------------------------------------------------------------------
--
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
----------------------------------------------------------------------------
--
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
----------------------------------------------------------------------------
--
> Nokia and AT&T present the 2010 Calling All Innovators-North America
contest
> Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
> $10 million total in prizes - $4M cash, 500 devices, nearly $6M in
marketing
> Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
> http://p.sf.net/sfu/nokia-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list