Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Pre-Processor Alerts based on Traffic Flow Direction

From: "Naman Latif" <naman.latif () inamed com>
Date: Fri, 5 Dec 2003 15:10:05 -0800
Hi,
Is it possible to define any rules for Preprocessors, so that Alerts are
only generated based on Traffic flow direction ?

I have the $HOME_NET defined for our local subnet as x.x.x.0/26.
 
However for http_decode pre-processor, I am getting a lot of False
Positives as 

http_decode: double encoding  <snip> x.x.x.39:54391        y.y.y.y:80



Where source address (x.x.x.39) is actually the traffic from my Internal
Proxy Server to some External Server.

Can I control http_decode behavior to only alert for External-->Internal
Traffic only ?

\\ Naman


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: