Snort mailing list archives
RE: Having http_inspect problems, can't turn options off]
From: Daniel Roelker <droelker () sourcefire com>
Date: 09 Aug 2004 15:23:48 -0400
Hi Kenneth,
I have recently experienced similar problems and this is what I have done to fix it. I turned off alerting because of the over abundance of False Positives. I believe that the false positives are in response to the SRC IP Address has a high port number.
You were probably seeing encoding alerts because of the URL encodings that various web clients were using on your network and the different web applications that you are running. Not because of a bug in the processing. The reason that you are seeing high src ports in the alerts is because web clients use high src ports to communicate to web servers. If you look at your alerts, you'll see that the dst port is 80 (or another port that you defined as an HTTP port). This is the port that counts for the encoding alerts, not the src port since that changes with each request of the web client. We are always trying to reduce false positives that occur with http_inspect, so anyone that has false positive scenarios please email them to either me or nigel[at]sourcefire[dot]com. Packet dumps are necessary for correct documentation of the false positive. Thanks. -- Daniel Roelker Software Developer Sourcefire, Inc. ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Having http_inspect problems, can't turn options off] Daniel Roelker (Aug 16)
- <Possible follow-ups>
- RE: Having http_inspect problems, can't turn options off] Daniel Roelker (Aug 16)