Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is it dangerous to tweak http_inspect defaults

From: Joel Esler <jesler () sourcefire com>
Date: Wed, 12 Oct 2011 15:38:20 -0400
I don't know if "dangerous" is the word I'd choose.

However, we don't write our rules to take into consideration those configuration options at this time.   We write our 
rules to the snort.conf that is shipped in the vrt tarball.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


On Oct 12, 2011, at 1:06 PM, Mike Lococo wrote:


On 10/12/2011 12:55 PM, Joel Esler wrote:

What we call our "current" snort.conf is the .conf that is shipped in
the VRT rules download tarball in the etc/ directory.


I'll keep that in mind.  I'm using the .conf for snort 2.9.1.1 which as 
you note is quite new.


All Snort configurations require tuning for their environment
(memory, rules enabled, locations, var's, etc), however the detection
options should be enabled in order to provide full coverage and
utilize the full features of Snort.


To be clear, I'm interested in enabling *additional* options that appear 
to me that they should provide additional evasion protection.  My 
question is whether that will have unintended consequences.  It sounds 
like your response can be paraphrased as:

    "Yes, it's dangerous to enable additional http_inspect
    normalization like normalize_cookies, normalize_headers,
    and normalize_utf because we count on every installation
    using the config that we ship except for variations in
    memcaps, rules-enabled, and vars".

Thanks,
Mike Lococo


------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: