Suppression list for Webservers - Snort
Anyone have a suppression lists/whitelist for a shop that mostly cater webservices or webservers?
I've been constantly getting the following not sure if some of these are still consider false positive
(http_inspect) BARE BYTE UNICODE ENCODING
(http_inspect) UNESCAPED SPACE IN HTTP URI
This one, majority of the IP are abusive as per abusiveipdb.com so I believe this is legit:
(http_inspect) PROTOCOL-OTHER HTTP server response before client request
Appreciate your response!
bmeeks last edited by bmeeks
Most of us just disable those HTTP_INSPECT rules that fire frequently on known good websites. The first two alerts you listed in your post are the most frequently "disabled" rules for most of us. Just click the red X next to the GID:SID on the ALERTS tab and the rule will be disabled.
Here is a very long thread with discussions about false-positive prone rules and the various suppress lists and rule disables some users have in their configurations.