[Snort-users] IPv6 Alerts documentation & Disable alerts

Gabriel Corre gabriel.corre at ...17281...
Wed Aug 12 06:07:00 EDT 2015

Got it !
Yeah it is GID 116 and SID 278/281. These alerts are in "decoder.rules" and the details are in "gen-msg.map".
Comment or Uncomment "include preproc_rules/decoder.rules" seems to be ineffective since I'm using pulledpork. I saw in the pulledpork.conf that all rules are regroup in "snort.rules" so I commented there the alerts I wanted to disabled.

Thanks for your help!


Gabriel Corré
Élève ngénieur Réseaux, Ops - Core Infrastructure

De : Al Lewis (allewi) [mailto:allewi at ...589...]
Envoyé : mercredi 12 août 2015 11:41
À : Gabriel Corre <gabriel.corre at ...17281...>
Cc : snort-users at lists.sourceforge.net
Objet : RE: IPv6 Alerts documentation & Disable alerts


These are decoder rules (GID 116). You should have an include  in your snort.conf for a decoder.rules file:

"include preproc_rules/decoder.rules"

The decoder.rules file is where you want to look.

Hope this helps.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...<mailto:allewi at ...589...>

From: Gabriel Corre [mailto:gabriel.corre at ...17281...]
Sent: Wednesday, August 12, 2015 3:47 AM
To: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: [Snort-users] IPv6 Alerts documentation & Disable alerts

I'm running snort on a VPS (Debian 7.5).
I'm just trying some basics config and I'm receiving mainly this two alerts :

  *   [**] [116:278:1] (snort_decoder) WARNING: IPv6 packet with reserved multicast destination address [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]header includes an invalid value for the "next header" field
  *   [**] [116:281:1] (snort_decoder) WARNING: IPv6 header includes an invalid value for the "next header" field [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]
I failed to find where these alerts are described and also where to disable them.
I had "config ipv6_frag: bsd_icmp_frag_alert off, bad_ipv6_frag_alert off" into snort.conf but it didn't disable the alerts.
Any ideas?
Finally, [116:278:1] stand for [gid,sid,rev] ?


Gabriel Corré
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150812/d86236ac/attachment.html>

More information about the Snort-users mailing list