Re: [Snort-users] Ok, Ok - I know - http_inspect
This is a discussion on Re: [Snort-users] Ok, Ok - I know - http_inspect within the Snort forums, part of the System Security and Security Related category; At 06:42 AM 6/19/2004, SN ORT wrote: Hi Marc, >Yes, but is that really gen_id 119? ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-19-2004
|
|||
|
|||
Re: [Snort-users] Ok, Ok - I know - http_inspect
At 06:42 AM 6/19/2004, SN ORT wrote:
Hi Marc, >Yes, but is that really gen_id 119? I mean you can >threshold the snort sigs but I don't know that you can >threshold inspect alerts! Anyone try to threshold >decode or inspect alerts? I don't know because I have >not looked at threshold too much, but I do know that >you have to specify a sig_id, which these particular >alerts do not have. Good luck sir! Even the pre-processors have SIDs, as well as their GID number. You can threshold (or suppress) specific SIDs generated by the pre-processors (GIDs) with no problem. You can find the GID/SID matrix in the snort source in the file generators.h More details about configuration of thresholding is in the Snort manual: http://www.snort.org/docs/snort_manual/node18.html Regards, Chris. ------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
