RE: [Snort-users] drowning in http inspect NON

Just either delete those preprocessors lines or
comment them out!

Cheese!

Marc

-----------------------Original
Message----------------
Message: 8
Date: Wed, 4 Feb 2004 10:56:14 -0500
From: "John York" <YorkJ@brcc.edu>
To: <snort-users@lists.sourceforge.net>
Subject: [Snort-users] drowning in http inspect NON
RFC character alerts

I'm getting 10-20,000 alerts/day on a small (<500
hosts) network. I
tried adding no_alerts to my config as follows:

preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
profile all \
ports { 80 8080 } \
no_alerts

That didn't work. I also tried non_rfc_char { } in
the hopes it
wouldn't check for anything, but it bombs on start.

I was able to use no_alerts on a unique server config
with an IP address
and that did work for that one server (a McAfee ePO
server--it uses http
to update virus clients and appears to do a lot of
non-standard stuff.)
Unfortunately, most of the hits I have left are
students in labs going
common sites like AOL.

Thanks
John

John York
Network Engineer
Blue Ridge Community College
1 College Lane, Weyers Cave, VA 24486
540.453.2255
-------------------------------------------------------

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users