Snort: Difference between revisions
From MediaWiki
Jump to navigationJump to search
m (Added external link) |
|||
Line 25: | Line 25: | ||
</pre> | </pre> | ||
== References == | |||
: [http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/rc1/node11.html#SECTION00317000000000000000 sfPortscan Module] ; Notes on fine tuning the port scan module in '''Snort'''. |
Latest revision as of 09:12, 29 March 2007
Snort Configuration Tips
Disabling Rules By ID
One should be able to disable rules by adding the rule ID to the file: "threshold.conf" (located in the snort rules directory). For example, adding the following to the end of the file: "threshold.conf" should disable the: "http_inspect: DOUBLE DECODING ATTACK" and "http_inspect: OVERSIZE REQUEST-URI DIRECTORY" rules:
suppress gen_id 119, sig_id 2 # disable http_inspect: DOUBLE DECODING ATTACK alerts suppress gen_id 119, sig_id 15 # disable http_inspect: OVERSIZE REQUEST-URI DIRECTORY alerts
NOTE: The file: "threshold.conf" is not loaded by default. So, you will also need to modify your snort configuration file(s). Search for: "threshold.conf" in the "snort.conf" file(s) and uncomment and modify it as shown below:
# Include any thresholding or suppression commands. See threshold.conf in the # <snort src>/etc directory for details. Commands don't necessarily need to be # contained in this conf, but a separate conf makes it easier to maintain them. # Note for Windows users: You are advised to make this an absolute path, # such as: c:\snort\etc\threshold.conf # Uncomment if needed. include $RULE_PATH/threshold.conf
References
- sfPortscan Module ; Notes on fine tuning the port scan module in Snort.