If all you want to do it delete it, add suppress entry to your threshold.conf
To find out the gen_id and sig_id, grep for the text in question in gen-msg.map.
# grep -i 'double decoding attack' gen-msg.map
119 || 2 || http_inspect: DOUBLE DECODING ATTACK
Then, in your threshold.conf, add the following line:
suppress gen_id 119, sig_id 2
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of David Naylor
Sent: Thursday, February 24, 2005 3:51 PM
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] http inspect editing
Hello,
Does anyone know how to edit unclassified rules? For example, I would like
to edit or delete the rule for "double decoding attack" - http_inspect
thanks,
David Naylor
IT Security Coordinator
Texas Trust
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id�396&op=ick
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id�396&opÌk
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
