[Snort-users] IPv6 Alerts documentation & Disable alerts
gabriel.corre at ...17281...
Wed Aug 12 06:07:00 EDT 2015
Got it !
Yeah it is GID 116 and SID 278/281. These alerts are in "decoder.rules" and the details are in "gen-msg.map".
Comment or Uncomment "include preproc_rules/decoder.rules" seems to be ineffective since I'm using pulledpork. I saw in the pulledpork.conf that all rules are regroup in "snort.rules" so I commented there the alerts I wanted to disabled.
Thanks for your help!
Élève ngénieur Réseaux, Ops - Core Infrastructure
De : Al Lewis (allewi) [mailto:allewi at ...589...]
Envoyé : mercredi 12 août 2015 11:41
À : Gabriel Corre <gabriel.corre at ...17281...>
Cc : snort-users at lists.sourceforge.net
Objet : RE: IPv6 Alerts documentation & Disable alerts
These are decoder rules (GID 116). You should have an include in your snort.conf for a decoder.rules file:
The decoder.rules file is where you want to look.
Hope this helps.
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...<mailto:allewi at ...589...>
From: Gabriel Corre [mailto:gabriel.corre at ...17281...]
Sent: Wednesday, August 12, 2015 3:47 AM
To: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: [Snort-users] IPv6 Alerts documentation & Disable alerts
I'm running snort 188.8.131.52 on a VPS (Debian 7.5).
I'm just trying some basics config and I'm receiving mainly this two alerts :
* [**] [116:278:1] (snort_decoder) WARNING: IPv6 packet with reserved multicast destination address [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]header includes an invalid value for the "next header" field
* [**] [116:281:1] (snort_decoder) WARNING: IPv6 header includes an invalid value for the "next header" field [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]
I failed to find where these alerts are described and also where to disable them.
I had "config ipv6_frag: bsd_icmp_frag_alert off, bad_ipv6_frag_alert off" into snort.conf but it didn't disable the alerts.
Finally, [116:278:1] stand for [gid,sid,rev] ?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users