[Snort-users] IPv6 Alerts documentation & Disable alerts

Al Lewis (allewi) allewi at ...589...
Wed Aug 12 05:40:34 EDT 2015


These are decoder rules (GID 116). You should have an include  in your snort.conf for a decoder.rules file:

"include preproc_rules/decoder.rules"

The decoder.rules file is where you want to look.

Hope this helps.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...

From: Gabriel Corre [mailto:gabriel.corre at ...17281...]
Sent: Wednesday, August 12, 2015 3:47 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] IPv6 Alerts documentation & Disable alerts

I'm running snort on a VPS (Debian 7.5).
I'm just trying some basics config and I'm receiving mainly this two alerts :

  *   [**] [116:278:1] (snort_decoder) WARNING: IPv6 packet with reserved multicast destination address [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]header includes an invalid value for the "next header" field
  *   [**] [116:281:1] (snort_decoder) WARNING: IPv6 header includes an invalid value for the "next header" field [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]
I failed to find where these alerts are described and also where to disable them.
I had "config ipv6_frag: bsd_icmp_frag_alert off, bad_ipv6_frag_alert off" into snort.conf but it didn't disable the alerts.
Any ideas?
Finally, [116:278:1] stand for [gid,sid,rev] ?


Gabriel Corré
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150812/7d9f2d8f/attachment.html>

More information about the Snort-users mailing list