[Snort-users] Snort Configurations
wkitty42 at ...14940...
Thu Sep 23 15:04:04 EDT 2010
On 9/22/2010 22:45, Alex Tatistcheff wrote:
> You can suppress the alerting and not affect the normalization (the important
> part) of the http_inspect preprocessor by commenting out the rules in the
> preprocessor.rules file.
ahHa! those would be the HI_CLIENT_* rules for the http_inspect stuff...
in my situation, the one i see the most is the OVERSIZE_DIR alert... i handled
that one by adjusting oversize_dir_length to 500 in my "server default"... that
knocked them way back but i still get some which i suspect are mainly due to
advertising urls and some referrers that search engines emit...
> Or you can suppress the output in threshold.conf with something like:
> suppress gen_id 119, sig_id 13
> The first option is what I would recommend.
i'm undecided which way i'd go... one may not want to completely terminate
certain alerts... i think i'd probably tend to lean more toward suppressing them
for specific IPs... too bad it can't be done by domain name but i fully
understand why that would be a BadIdea<tm> ;)
anyone else care to share their preference/recommendation and the reasoning
behind that choice??
> Alex Tatistcheff
> alext at ...492... <mailto:alext at ...492...>
> The most terrifying words in the English language are, "I'm from the government
> and I'm here to help." -Ronald Reagan
> On Wed, Sep 22, 2010 at 1:01 PM, Greg Lane <greglane at ...14965...
> <mailto:greglane at ...14965...>> wrote:
> Well there are 3 types of http_inspects that I am getting mainly.
> http_inspect: LONG HEADER, http_inspect: NON-RFC DEFINED CHAR,
> http_inspect: OVERSIZE REQUEST-URI DIRECTORY.
> Everyone of the sources are from inside my network. Many of them are to
> amazon EC, quantserve.com <http://quantserve.com>(cookie related), yahoo,
> google, facebook, and Pandora. So you can see that most of the traffic is
> legit and it isn't being triggered from outside the domain. I'm just not
> sure how to cut down on the number of alerts. When I get that done I will
> move on to the next but I am trying to do this in steps so that I can
> understand everything that is going on
> Greg Lane
> IT Manager
> Lane Enterprises
> Email: greglane at ...14965... <mailto:greglane at ...14965...>
> Phone: (228)872-2414
> -----Original Message-----
> From: waldo kitty [mailto:wkitty42 at ...14940...
> <mailto:wkitty42 at ...14940...>]
> Sent: Wednesday, September 22, 2010 1:21 PM
> To: snort-users at lists.sourceforge.net <mailto:snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] Snort Configurations
> On 9/22/2010 12:39, Greg Lane wrote:
> > I’m starting to learn how to tune my Snort install and it is a slow
> process. I
> > have alerts like crazy because I know it needs to be tuned and I
> especially have
> > a lot of http_inspect alerts coming up. I’ve been reading and from what I can
> > gather if you don’t have a websever you may not really need this in
> operation or
> > am I wrong?
> the answer is "it depends"... it depends on if you want to monitor outbound http
> traffic to possibly catch infestations on your network that are reporting in or
> attacking remote http servers... you might also catch (and be able to prevent)
> internal machines that are being redirected to driveby sites that would (attempt
> to) load them with infestation materials...
> > If I am wrong then what is the best possible solution for me to cut
> > down most of the alerts which are false positives so to speak or aren’t
> > dangerous at all? This will probably be one of many questions concerning
> > coming to an email box near you.
> false positives need to be reported to those who write those rules so they can
> be looked into and adjusted if necessary...
More information about the Snort-users