Snort mailing list archives
Re: Configuration tradeoffs
From: Joel Esler <eslerj () gmail com>
Date: Wed, 27 Aug 2008 13:31:12 -0400
On Aug 27, 2008, at 1:22 PM, Stewart L wrote:
Overnight. It was a great webinar, BTW. :)
Thanks.
Here is an example of what I did... # Global Settings preprocessor http_inspect: global iis_unicode_map unicode.map 1252 # Linux Web Serverspreprocessor http_inspect_server: server 192.168.100.1 profile apache ports { 80 8080 8180 } oversize_dir_length 500[snip about 40 similar lines with different IP addresses.]
Are all those ports in use by each one of the IPs? Is 192.168.100.1 listening on 80 8080 and 8180? Or only on 80? How about the other 39?
#Default Windows server for the restpreprocessor http_inspect_server: server default profile iis ports { 80 8080 8180 } oversize_dir_length 500
Same thing. What about the ports? J
Stewart On Wed, Aug 27, 2008 at 1:12 PM, Joel Esler <eslerj () gmail com> wrote: How long have you had this running? J On Aug 27, 2008, at 12:14 PM, Stewart L wrote:So,I sat through a Webinar on common mistakes made when setting up Snort. They mentioned that http_inspect needs to be configured to reduce false positives.I have my global configuration, I have my default server configuration, then I added about 40 server configuration lines for my Linux Servers.I'm seeing more packet loss since I configured all this up. Went from about 0.1% loss to more than 2%.Am I doing something incorrect here? Or is this expected? -- Stewart -- You only lose what you cling to. -------------------------------------------------------------------------This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the worldhttp://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Joel Esler http://blog.joelesler.net http://www.dearcupertino.com [m] -- Stewart -- You only lose what you cling to.
-- Joel Esler http://blog.joelesler.net http://www.dearcupertino.com [m]
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Configuration tradeoffs Stewart L (Aug 27)
- Re: Configuration tradeoffs Joel Esler (Aug 27)
- Re: Configuration tradeoffs Stewart L (Aug 27)
- Re: Configuration tradeoffs Joel Esler (Aug 27)
- Re: Configuration tradeoffs Stewart L (Aug 27)
- Re: Configuration tradeoffs Joel Esler (Aug 27)
- Re: Configuration tradeoffs Stewart L (Aug 27)
- Re: Configuration tradeoffs Joel Esler (Aug 27)