Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: drowning in http inspect NON RFC character alerts

From: Jeremy Hewlett <jh () sourcefire com>
Date: Thu, 5 Feb 2004 14:20:04 -0500
On Wed, Feb 04, John York wrote:

I'm getting 10-20,000 alerts/day on a small (<500 hosts) network.  I
tried adding no_alerts to my config as follows:


Snort v2.1.1-RC1 fixes the issue of no_alerts not quieting
non_rfc_chars.  Also, non_rfc_chars is no longer enabled in the
default profiles (so if you want it, you need to specifically include
it).
 

That didn't work.  I also tried non_rfc_char {  } in the hopes it
wouldn't check for anything, but it bombs on start.


You should just remove that option completely if you don't want it.


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: