Snort mailing list archives
Ok, Ok - I know - http_inspect
From: "Rowland, Krisa W ERDC-ITL-MS Contractor" <Krisa.W.Rowland () erdc usace army mil>
Date: Wed, 16 Jun 2004 10:53:56 -0500
I know I'm going to get slaughtered for even bringing up the subject of
http_inspect. I've read through the old posts, and also read through the
manual. I'm hoping that someone can offer clarification or guidance on
this, though. I do not want to disable this option - but at the moment I'm
going to have to - just pouring out too many alerts.
I tried to limit these alerts to only my webfarm subnet by doing this:
preprocessor http_inspect_server: server x.x.x.0/8 \
profile all ports { 80 8080 8180 } oversize_dir_length 500
But it didn't like that. I'd just like to restrict these alerts to one
subnet - how do I do that?
Shouldn't I use the all profile if I'm pretty sure that I have apache and
IIS servers?
Krisa Rowland
ERDC Information Assurance Team
(SAIC Contractor)
3909 Halls Ferry Rd., Bldg. 8000
Vicksburg, MS 39180
601-634-2493
krisa.w.rowland () erdc usace army mil
Current thread:
- Ok, Ok - I know - http_inspect Rowland, Krisa W ERDC-ITL-MS Contractor (Jun 16)
- RE: Ok, Ok - I know - http_inspect Jeff Dell (Jun 16)
- <Possible follow-ups>
- RE: Ok, Ok - I know - http_inspect Rowland, Krisa W ERDC-ITL-MS Contractor (Jun 16)
- RE: Ok, Ok - I know - http_inspect Jeff Dell (Jun 16)
- RE: Ok, Ok - I know - http_inspect Koski, Brian (Jun 16)
- RE: Ok, Ok - I know - http_inspect SN ORT (Jun 17)
- RE: Ok, Ok - I know - http_inspect Snortty (Jun 17)
- Re: Ok, Ok - I know - http_inspect sekure (Jun 17)
- Re: Ok, Ok - I know - http_inspect Snortty (Jun 18)
- Re: Ok, Ok - I know - http_inspect sekure (Jun 18)
- Re: Ok, Ok - I know - http_inspect Snortty (Jun 18)
- RE: Ok, Ok - I know - http_inspect Snortty (Jun 17)