Snort mailing list archives
Re: drowning in http inspect NON RFC character alerts
From: Jeremy Hewlett <jh () sourcefire com>
Date: Thu, 5 Feb 2004 14:20:04 -0500
On Wed, Feb 04, John York wrote:
I'm getting 10-20,000 alerts/day on a small (<500 hosts) network. I tried adding no_alerts to my config as follows:
Snort v2.1.1-RC1 fixes the issue of no_alerts not quieting non_rfc_chars. Also, non_rfc_chars is no longer enabled in the default profiles (so if you want it, you need to specifically include it).
That didn't work. I also tried non_rfc_char { } in the hopes it wouldn't check for anything, but it bombs on start.
You should just remove that option completely if you don't want it. ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- drowning in http inspect NON RFC character alerts John York (Feb 04)
- Re: drowning in http inspect NON RFC character alerts Jeremy Hewlett (Feb 05)