Re: Configuration tradeoffs

["Stewart L" <stewartl42 () gmail com>]

Left that in from the defaults.  I will change them.
still, the defaults were searching for all those ports on every IP.  Seems
like defining the extra server lines increased my drop rate.

On Wed, Aug 27, 2008 at 1:31 PM, Joel Esler <eslerj () gmail com> wrote:

> On Aug 27, 2008, at 1:22 PM, Stewart L wrote:
>
> Overnight.  It was a great webinar, BTW. :)
>
>
> Thanks.
>
>
>
> Here is an example of what I did...
>
> # Global Settings
> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>
> # Linux Web Servers
> preprocessor http_inspect_server: server 192.168.100.1 profile apache
> ports { 80 8080 8180 } oversize_dir_length 500
> [snip about 40 similar lines with different IP addresses.]
>
>
> Are all those ports in use by each one of the IPs?  Is 192.168.100.1listening on 80 8080 and 8180?  Or only on 80?  
> How about the other 39?
>
>
>
> #Default Windows server for the rest
> preprocessor http_inspect_server: server default  profile iis ports { 80
> 8080 8180 } oversize_dir_length 500
>
>
> Same thing.  What about the ports?
>
> J
>
>
>
> Stewart
>
> On Wed, Aug 27, 2008 at 1:12 PM, Joel Esler <eslerj () gmail com> wrote:
>
> > How long have you had this running?
> > J
> >
> > On Aug 27, 2008, at 12:14 PM, Stewart L wrote:
> >
> > So,
> >
> > I sat through a Webinar on common mistakes made when setting up Snort.
> > They mentioned that http_inspect needs to be configured to reduce false
> > positives.
> >
> > I have my global configuration, I have my default server configuration,
> > then I added about 40 server configuration lines for my Linux Servers.
> >
> > I'm seeing more packet loss since I configured all this up.   Went from
> > about 0.1% loss to more than 2%.
> >
> > Am I doing something incorrect here? Or is this expected?
> >
> > --
> > Stewart
> > --
> > You only lose what you cling to.
> >  -------------------------------------------------------------------------
> > This SF.Net email is sponsored by the Moblin Your Move Developer's
> > challenge
> > Build the coolest Linux based applications with Moblin SDK & win great
> > prizes
> > Grand prize is a trip for two to an Open Source event anywhere in the
> > world
> >
> > http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> > --
> > Joel Esler
> >   http://blog.joelesler.net
> >   http://www.dearcupertino.com
> > [m]
>
>
> --
> Stewart
> --
> You only lose what you cling to.
>
>
>
> --
> Joel Esler
>   http://blog.joelesler.net
>   http://www.dearcupertino.com
> [m]


-- 
Stewart
--
You only lose what you cling to.

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users