Re: IPv6 Alerts documentation & Disable alerts

["Al Lewis (allewi)" <allewi () cisco com>]

Hello,

These are decoder rules (GID 116). You should have an include  in your snort.conf for a decoder.rules file:

"include preproc_rules/decoder.rules"

The decoder.rules file is where you want to look.


Hope this helps.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Gabriel Corre [mailto:gabriel.corre () fr clara net]
Sent: Wednesday, August 12, 2015 3:47 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] IPv6 Alerts documentation & Disable alerts

Hello,
I'm running snort 2.9.7.5 on a VPS (Debian 7.5).
I'm just trying some basics config and I'm receiving mainly this two alerts :

  *   [**] [116:278:1] (snort_decoder) WARNING: IPv6 packet with reserved multicast destination address [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]header includes an invalid value for the "next header" 
field
  *   [**] [116:281:1] (snort_decoder) WARNING: IPv6 header includes an invalid value for the "next header" field [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]
I failed to find where these alerts are described and also where to disable them.
I had "config ipv6_frag: bsd_icmp_frag_alert off, bad_ipv6_frag_alert off" into snort.conf but it didn't disable the 
alerts.
Any ideas?
Finally, [116:278:1] stand for [gid,sid,rev] ?
Regards,

--

Gabriel Corré

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!