Snort - [Snort-users] Suppress OVERSIZE REQUEST-URI DIRECTORY alerts not working?

Author

[Snort-users] Suppress OVERSIZE REQUEST-URI DIRECTORY alerts not working?

Aaron Giuoco

2004-09-28, 5:47 pm

I was getting a lot of these OVERSIZE REQUEST-URI
DIRECTORY alerts when users searched eBay. So I
decided to suppress all such alerts with the following
suppression rules in my threshold.conf file.

# suppress all OVERSIZE REQUEST-URI DIRECTORY alerts
going to eBay
suppress gen_id 1, sig_id 15, track by_dst, ip
66.135.192.0/19
suppress gen_id 1, sig_id 15, track by_dst, ip
216.113.160.0/19

But I am still getting alerts to these IPs. Any ideas
as to why?

AG

__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail

-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users

Marc Hultquist

2004-09-28, 5:47 pm

Are you sure you have referenced the rule file to be loaded correctly?

--
Marc Hultquist (marc@cks.co.za)
Computerkit Systems (Pty) Ltd
Networking Division
http://www.cks.co.za
Personal: http://soulcandyza.blogspot.com/
(P) +27 11 695 5317
(C) +27 82 563 2861
(F) +27 11 312 1408
Poetry for the Web: "Our yellow sun yields to the dark as I begin my
web-based lark. Flowing, turning, through the pipe, I grep for text and dump
the hype. But as I ride the fibre trail, I test my fait as I read my mail.
Even as my bandwidth fattens, I question live and 1-click patents.....
Although I ask, and though I query, I know the truth, I grok the theory, life
is a multimedia of sins, so he who collects the most porn wins!"
Poem taken from: http://ars.userfriendly.org/cartoons/?id=20000307
---------------------- OmniCode 0.1.6 -----------------------
sxy cm178 kg86 skf1eae4 ha7d4419 ey336699 es= sp= Ag1984 anE hdd ZoD RlD Kd!
PeD FHg UFAJ IN9 AdC Prbash(7)^(9)
----------- Omnicode http://www.gadgeteer.net/omnicode/ -----------
Confidentiality Notice:
The above message and all attachments may contain privileged and confidential information intended only for the person or entity to which it is addressed. Any review, retransmission, dissemination, copy or other use of, or taking of any action in reliance
upon this information by persons or entities other than the intended recipient is prohibited. If you received this message in error, please notify the sender immediately by e-mail, facsimile or telephone and thereafter delete the material from your compu
ter. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the view of the entity transmitting the message. Computerkit Retail Systems (Pty) Ltd hereby distances itself from and acc
epts no liability in respect of the unauthorised use of its e-mail facility or the sending of e-mail communications for other than strictly business purposes

-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users

sekure

2004-09-28, 5:47 pm

That's an http_inspect alert, gen_id 119, not 1.

On Tue, 28 Sep 2004 06:59:27 -0700 (PDT), Aaron Giuoco
<agiuoco@yahoo.com> wrote:
> I was getting a lot of these OVERSIZE REQUEST-URI
> DIRECTORY alerts when users searched eBay. So I
> decided to suppress all such alerts with the following
> suppression rules in my threshold.conf file.
>
> # suppress all OVERSIZE REQUEST-URI DIRECTORY alerts
> going to eBay
> suppress gen_id 1, sig_id 15, track by_dst, ip
> 66.135.192.0/19
> suppress gen_id 1, sig_id 15, track by_dst, ip
> 216.113.160.0/19
>
> But I am still getting alerts to these IPs. Any ideas
> as to why?
>
> AG
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - 50x more storage than other providers!
> http://promotions.yahoo.com/new_mail
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> Project Admins to receive an Apple iPod Mini FREE for your judgement on
> who ports your project to Linux PPC the best. Sponsored by IBM.
> Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
> ________________________________________
_______
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists...nfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf....ist=snort-users
>

-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users