Snort mailing list archives
Ok, Ok - I know - http_inspect
From: "Rowland, Krisa W ERDC-ITL-MS Contractor" <Krisa.W.Rowland () erdc usace army mil>
Date: Wed, 16 Jun 2004 10:53:56 -0500
I know I'm going to get slaughtered for even bringing up the subject of http_inspect. I've read through the old posts, and also read through the manual. I'm hoping that someone can offer clarification or guidance on this, though. I do not want to disable this option - but at the moment I'm going to have to - just pouring out too many alerts. I tried to limit these alerts to only my webfarm subnet by doing this: preprocessor http_inspect_server: server x.x.x.0/8 \ profile all ports { 80 8080 8180 } oversize_dir_length 500 But it didn't like that. I'd just like to restrict these alerts to one subnet - how do I do that? Shouldn't I use the all profile if I'm pretty sure that I have apache and IIS servers? Krisa Rowland ERDC Information Assurance Team (SAIC Contractor) 3909 Halls Ferry Rd., Bldg. 8000 Vicksburg, MS 39180 601-634-2493 krisa.w.rowland () erdc usace army mil
Current thread:
- Ok, Ok - I know - http_inspect Rowland, Krisa W ERDC-ITL-MS Contractor (Jun 16)
- RE: Ok, Ok - I know - http_inspect Jeff Dell (Jun 16)
- <Possible follow-ups>
- RE: Ok, Ok - I know - http_inspect Rowland, Krisa W ERDC-ITL-MS Contractor (Jun 16)
- RE: Ok, Ok - I know - http_inspect Jeff Dell (Jun 16)
- RE: Ok, Ok - I know - http_inspect Koski, Brian (Jun 16)
- RE: Ok, Ok - I know - http_inspect SN ORT (Jun 17)
- RE: Ok, Ok - I know - http_inspect Snortty (Jun 17)
- Re: Ok, Ok - I know - http_inspect sekure (Jun 17)
- Re: Ok, Ok - I know - http_inspect Snortty (Jun 18)
- Re: Ok, Ok - I know - http_inspect sekure (Jun 18)
- Re: Ok, Ok - I know - http_inspect Snortty (Jun 18)
- RE: Ok, Ok - I know - http_inspect Snortty (Jun 17)