[Snort-users] Snort Configurations

waldo kitty wkitty42 at ...14940...
Thu Sep 23 15:04:04 EDT 2010


On 9/22/2010 22:45, Alex Tatistcheff wrote:
> You can suppress the alerting and not affect the normalization (the important
> part) of the http_inspect preprocessor by commenting out the rules in the
> preprocessor.rules file.

ahHa! those would be the HI_CLIENT_* rules for the http_inspect stuff...

in my situation, the one i see the most is the OVERSIZE_DIR alert... i handled 
that one by adjusting oversize_dir_length to 500 in my "server default"... that 
knocked them way back but i still get some which i suspect are mainly due to 
advertising urls and some referrers that search engines emit...

> Or you can suppress the output in threshold.conf with something like:
> suppress gen_id 119, sig_id 13
>
> The first option is what I would recommend.

i'm undecided which way i'd go... one may not want to completely terminate 
certain alerts... i think i'd probably tend to lean more toward suppressing them 
for specific IPs... too bad it can't be done by domain name but i fully 
understand why that would be a BadIdea<tm> ;)

anyone else care to share their preference/recommendation and the reasoning 
behind that choice??

>
> Alex Tatistcheff
> alext at ...492... <mailto:alext at ...492...>
>
> The most terrifying words in the English language are, "I'm from the government
> and I'm here to help." -Ronald Reagan
>
>
> On Wed, Sep 22, 2010 at 1:01 PM, Greg Lane <greglane at ...14965...
> <mailto:greglane at ...14965...>> wrote:
>
>     Well there are 3 types of http_inspects that I am getting mainly.
>       http_inspect: LONG HEADER, http_inspect: NON-RFC DEFINED CHAR,
>     http_inspect: OVERSIZE REQUEST-URI DIRECTORY.
>     Everyone of the sources are from inside my network.  Many of them are to
>     amazon EC, quantserve.com <http://quantserve.com>(cookie related), yahoo,
>     google, facebook, and Pandora.  So you can see that most of the traffic is
>     legit and it isn't being triggered from outside the domain.  I'm just not
>     sure how to cut down on the number of alerts.  When I get that done I will
>     move on to the next but I am trying to do this in steps so that I can
>     understand everything that is going on
>
>     Greg Lane
>     IT Manager
>     Lane Enterprises
>
>     Email: greglane at ...14965... <mailto:greglane at ...14965...>
>     Phone: (228)872-2414
>
>     -----Original Message-----
>     From: waldo kitty [mailto:wkitty42 at ...14940...
>     <mailto:wkitty42 at ...14940...>]
>     Sent: Wednesday, September 22, 2010 1:21 PM
>     To: snort-users at lists.sourceforge.net <mailto:snort-users at lists.sourceforge.net>
>     Subject: Re: [Snort-users] Snort Configurations
>
>     On 9/22/2010 12:39, Greg Lane wrote:
>      > I’m starting to learn how to tune my Snort install and it is a slow
>     process.  I
>      > have alerts like crazy because I know it needs to be tuned and I
>     especially have
>      > a lot of http_inspect alerts coming up. I’ve been reading and from what I can
>      > gather if you don’t have a websever you may not really need this in
>     operation or
>      > am I wrong?
>
>     the answer is "it depends"... it depends on if you want to monitor outbound http
>     traffic to possibly catch infestations on your network that are reporting in or
>     attacking remote http servers... you might also catch (and be able to prevent)
>     internal machines that are being redirected to driveby sites that would (attempt
>     to) load them with infestation materials...
>
>      > If I am wrong then what is the best possible solution for me to cut
>      > down most of the alerts which are false positives so to speak or aren’t
>      > dangerous at all? This will probably be one of many questions concerning
>     configs
>      > coming to an email box near you.
>
>     false positives need to be reported to those who write those rules so they can
>     be looked into and adjusted if necessary...





More information about the Snort-users mailing list