Re: [Snort-users] http inspect editing
This is a discussion on Re: [Snort-users] http inspect editing within the Snort forums, part of the System Security and Security Related category; At 03:51 PM 2/24/2005, David Naylor wrote: > Does anyone know how to edit unclassified rules? For ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-25-2005
|
|||
|
|||
Re: [Snort-users] http inspect editing
At 03:51 PM 2/24/2005, David Naylor wrote:
> Does anyone know how to edit unclassified rules? For example, I would > like to edit or delete the rule for "double decoding attack" - http_inspect That's not a rule at all, it's an alert generated by a preprocessor. Since it's not a rule, you'd need to modify the source code for http_inspect and recompile snort to do any kind of edit. However, you can change the parameters you pass to http_inspect in your snort.conf to disable this detection. Just add "double_decode no" to your profile in snort.conf. My personaly approach is to not have any "default" http_inspect. I only run http_inspect against my specific webservers. i.e: preprocessor http_inspect_server: server 208.39.141.94 \ profile all ports <censored rest of config> See the README.http_inspect that comes with the snort tarball for a bit more detail on what kinds of things you can tell http_inspect to do or not do. ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
