Snort mailing list archives
Re: disabling the new spew of spp_rpc_decode alerts
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Fri, 7 Mar 2003 09:50:31 +1300
On Thu, Mar 06, 2003 at 03:01:29PM -0500, AppleAnnie331 () aol com wrote:
preprocessor rpc_decode: 111 32771 no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete in your config file does the trick
Isn't that the same as just disabling the preprocessor? If you know you don't have any RPC servers running on port 32771, removing that number will probably remove *all* the false positives too... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- disabling the new spew of spp_rpc_decode alerts AppleAnnie331 (Mar 06)
- <Possible follow-ups>
- Re: disabling the new spew of spp_rpc_decode alerts AppleAnnie331 (Mar 06)
- Re: disabling the new spew of spp_rpc_decode alerts Jason Haar (Mar 06)
- ports running RPC svcs (was Re: disabling the new spew of spp_rpc_decode alerts) Bennett Todd (Mar 07)
- Re: disabling the new spew of spp_rpc_decode alerts Jason Haar (Mar 06)