[Snort-users] Question on http_inspect

Lay, James james.lay at ...15009...
Tue Nov 8 11:00:59 EST 2011


From: Owen Blandford [mailto:OBlandford at ...15433...] 
Sent: Tuesday, November 08, 2011 6:36 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Question on http_inspect

I am seeing a vast number of http_inspect alerts for what is legitimate
traffic. How do I tune these alerts out?
Thanks,
Owen



Owen,

Threshold those babies out...for example:

threshold.conf:
suppress gen_id 120, sig_id 3

James




More information about the Snort-users mailing list