Snort mailing list archives
Pre-Processor Alerts based on Traffic Flow Direction
From: "Naman Latif" <naman.latif () inamed com>
Date: Fri, 5 Dec 2003 15:10:05 -0800
Hi, Is it possible to define any rules for Preprocessors, so that Alerts are only generated based on Traffic flow direction ? I have the $HOME_NET defined for our local subnet as x.x.x.0/26. However for http_decode pre-processor, I am getting a lot of False Positives as http_decode: double encoding <snip> x.x.x.39:54391 y.y.y.y:80 Where source address (x.x.x.39) is actually the traffic from my Internal Proxy Server to some External Server. Can I control http_decode behavior to only alert for External-->Internal Traffic only ? \\ Naman ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Pre-Processor Alerts based on Traffic Flow Direction Naman Latif (Dec 05)