snort-users September 2010 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] Snort Configurations

Re: [Snort-users] Snort Configurations

From: Joel Esler <jesler_at_nospam>
Date: Thu Sep 23 2010 - 14:44:51 GMT
To: Greg Lane <greglane@laneconstinc.com>

"Or you can suppress the output in threshold.conf with something like:
suppress gen_id 119, sig_id 13"

Make sure you restart Snort after the changes.

J

On Thu, Sep 23, 2010 at 10:22 AM, Greg Lane <greglane@laneconstinc.com> wrote:
> Iím commenting out the rules in the preprocessor.rules file and Iím still
> getting the alert.† Gen_id 119 †sid 19 long header.† Why is it still
> alerting?
>
>
>
> Greg Lane
>
> IT Manager
>
> Lane Enterprises
>
>
>
> Email:† greglane@laneconstinc.com
>
> Phone: (228)872-2414
>
>
>
> From: alex.tatistcheff@gmail.com [mailto:alex.tatistcheff@gmail.com] On
> Behalf Of Alex Tatistcheff
> Sent: Wednesday, September 22, 2010 9:46 PM
> To: Greg Lane
> Cc: wkitty42@windstream.net; snort-users@lists.sourceforge.net
>
> Subject: Re: [Snort-users] Snort Configurations
>
>
>
> You can suppress the alerting and not affect the normalization (the
> important part) of the http_inspect preprocessor by commenting out the rules
> in the preprocessor.rules file.
>
> Or you can suppress the output in threshold.conf with something like:
> suppress gen_id 119, sig_id 13
>
> The first option is what I would recommend.
>
> Alex Tatistcheff
> alext@pobox.com
>
> The most terrifying words in the English language are, "I'm from the
> government and I'm here to help." -Ronald Reagan
>
> On Wed, Sep 22, 2010 at 1:01 PM, Greg Lane <greglane@laneconstinc.com>
> wrote:
>
> Well there are 3 types of http_inspects that I am getting mainly.
> †http_inspect: LONG HEADER, http_inspect: NON-RFC DEFINED CHAR,
> http_inspect: OVERSIZE REQUEST-URI DIRECTORY.
> Everyone of the sources are from inside my network. †Many of them are to
> amazon EC, quantserve.com(cookie related), yahoo, google, facebook, and
> Pandora. †So you can see that most of the traffic is legit and it isn't
> being triggered from outside the domain. †I'm just not sure how to cut down
> on the number of alerts. †When I get that done I will move on to the next
> but I am trying to do this in steps so that I can understand everything that
> is going on
>
> Greg Lane
> IT Manager
> Lane Enterprises
>
> Email: †greglane@laneconstinc.com
> Phone: (228)872-2414
>
> -----Original Message-----
> From: waldo kitty [mailto:wkitty42@windstream.net]
> Sent: Wednesday, September 22, 2010 1:21 PM
> To: snort-users@lists.sourceforge.net
> Subject: Re: [Snort-users] Snort Configurations
>
> On 9/22/2010 12:39, Greg Lane wrote:
>> Iím starting to learn how to tune my Snort install and it is a slow
>> process. †I
>> have alerts like crazy because I know it needs to be tuned and I
>> especially have
>> a lot of http_inspect alerts coming up. Iíve been reading and from what I
>> can
>> gather if you donít have a websever you may not really need this in
>> operation or
>> am I wrong?
>
> the answer is "it depends"... it depends on if you want to monitor outbound
> http
> traffic to possibly catch infestations on your network that are reporting in
> or
> attacking remote http servers... you might also catch (and be able to
> prevent)
> internal machines that are being redirected to driveby sites that would
> (attempt
> to) load them with infestation materials...
>
>> If I am wrong then what is the best possible solution for me to cut
>> down most of the alerts which are false positives so to speak or arenít
>> dangerous at all? This will probably be one of many questions concerning
>> configs
>> coming to an email box near you.
>
> false positives need to be reported to those who write those rules so they
> can
> be looked into and adjusted if necessary...
>
>
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> ------------------------------------------------------------------------------
> Nokia and AT&T present the 2010 Calling All Innovators-North America contest
> Create new apps & games for the Nokia N8 for consumers in †U.S. and Canada
> $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
> Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
> http://p.sf.net/sfu/nokia-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users