[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-onion
Subject:    [security-onion] Can't Suppress or Disable Sensitive data/http_inspect preprocessor rules
From:       "Drew D." <dixon1dw () gmail ! com>
Date:       2014-02-27 17:18:31
Message-ID: 41de8ccd-075c-4444-a188-2b0c5a0aa79a () googlegroups ! com
[Download RAW message or body]

Hi,

I replied to an extremely closely related older thread but starting a new one here at \
Doug's request:

I cannot get the following alerts to suppress and they are cluttering up my metrics \
and ability to monitor for legitimate alerts:

sensitive_data: sensitive data global threshold exceeded
sensitive_data: sensitive data - eMail addresses
http_inspect: HTTP RESPONSE GZIP DECOMPRESSION FAILED

I've added them to /etc/nsm/rules/threshold.conf using my network CIDR range and also \
tried using 0.0.0.0/0 when my network CIDR range didn't appear to be working to \
suppress the alerts, this still did not suppress them.

I've been focusing on the sensitive data alerts/rules trying to get them to shut up \
but no matter what I do it doesn't seem to work.  Via suggestion in the old thread I \
mentioned I went into snort.conf and commented out the line for the sensitive data \
preprocessor to totally disable it but when I did this my snort service would not \
start for some reason.  I also went into the pulledpork disabled conf and added the \
sensitive data preprocessor, this didn't prevent the snort service from running but \
it also didn't kill the alerts either.

At this point I don't know what else I can do to suppress these, any and all help and \
suggestions would be greatly appreciated.


-Drew

-- 
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/groups/opt_out.


[prev in list] [next in list] [prev in thread] [next in thread]