[Snort-users] IPv6 Alerts documentation & Disable alerts
Al Lewis (allewi)
allewi at ...589...
Wed Aug 12 05:40:34 EDT 2015
These are decoder rules (GID 116). You should have an include in your snort.conf for a decoder.rules file:
The decoder.rules file is where you want to look.
Hope this helps.
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...
From: Gabriel Corre [mailto:gabriel.corre at ...17281...]
Sent: Wednesday, August 12, 2015 3:47 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] IPv6 Alerts documentation & Disable alerts
I'm running snort 126.96.36.199 on a VPS (Debian 7.5).
I'm just trying some basics config and I'm receiving mainly this two alerts :
* [**] [116:278:1] (snort_decoder) WARNING: IPv6 packet with reserved multicast destination address [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]header includes an invalid value for the "next header" field
* [**] [116:281:1] (snort_decoder) WARNING: IPv6 header includes an invalid value for the "next header" field [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]
I failed to find where these alerts are described and also where to disable them.
I had "config ipv6_frag: bsd_icmp_frag_alert off, bad_ipv6_frag_alert off" into snort.conf but it didn't disable the alerts.
Finally, [116:278:1] stand for [gid,sid,rev] ?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users