Snort mailing list archives
https and http_inspect gives *many* false positives
From: Edward van der Jagt <snort-users () evdj com>
Date: Tue, 13 Jan 2004 00:06:12 +0100
After enabling http_inspect and http_inspect_server I'm getting loads of events in my database (bare byte, non-rfc, U encoding, double decoding). Further inspection and testing shows that this is caused by HTTPS traffic between workstations and the WAN (or Internet) going through the proxy servers working on port 80. Going on what the Snort manual says that these should not appear during normal traffic, it would be unwise to disable these alerts altogether. Disabling them would also disable detection of these on normal traffic. The proxy_alert or allow_proxy_use will not help here (if I understand the manual correctly). For now we have these lines in the snort.conf: preprocessor http_inspect: global iis_unicode_map /etc/unicode.map 1250 preprocessor http_inspect_server: server default profile all ports { 80 } What should I change to get rid of these false positives ? ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- https and http_inspect gives *many* false positives Edward van der Jagt (Jan 12)
- Re: https and http_inspect gives *many* false positives Jason Haar (Jan 12)
- <Possible follow-ups>
- Re: https and http_inspect gives *many* false positives Edward van der Jagt (Jan 12)
- Re: https and http_inspect gives *many* false positives Jason Haar (Jan 12)
- Re: https and http_inspect gives *many* false positives Jason (Jan 12)
- Re: https and http_inspect gives *many* false positives Jason Haar (Jan 12)
- Re: https and http_inspect gives *many* false positives Edward van der Jagt (Jan 13)