Snort mailing list archives
Re: https and http_inspect gives *many* false positives
From: Edward van der Jagt <snort-users () evdj com>
Date: Tue, 13 Jan 2004 00:48:07 +0100
After enabling http_inspect and http_inspect_server I'm getting loads of events in my database (bare byte, non-rfc, U encoding, double decoding). Further inspection and testing shows that this is caused by HTTPS traffic between workstations and the WAN (or Internet) going through the proxy servers working on port 80. What should I change to get rid of these false positives ?Tricky. You're not really meant to run proxy servers on port 80. Squid defaults to 3128, M$ Proxy 8080, etc.
I know. This is not my choice, but changing is not an option.
As you are running a proxy server on port 80, then such things as HTTPS-CONNECT methods will indeed cause a lot of grief. How about using "http_inspect_server: server 1.1.1.1" for your proxy's IP address and tell sort it has a web server on some unused port such as port 88 or the like. i.e. it will disable http_inspect for port 80 traffic.
But I still would like to know if something unwanted is travelling through my proxy servers. If http_inspect is disabled for port 80, non-HTTPS requests will then be missed by the preprocessor. So if someone is attacking a server, internal (WAN) or external (Internet) by using some url based attack which http_inspect should detect, this url request will be made through the proxy (firewalls block direct access). Disabling the preprocessor is therefore not a desirable option. Any other ideas ? ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- https and http_inspect gives *many* false positives Edward van der Jagt (Jan 12)
- Re: https and http_inspect gives *many* false positives Jason Haar (Jan 12)
- <Possible follow-ups>
- Re: https and http_inspect gives *many* false positives Edward van der Jagt (Jan 12)
- Re: https and http_inspect gives *many* false positives Jason Haar (Jan 12)
- Re: https and http_inspect gives *many* false positives Jason (Jan 12)
- Re: https and http_inspect gives *many* false positives Jason Haar (Jan 12)
- Re: https and http_inspect gives *many* false positives Edward van der Jagt (Jan 13)