Snort mailing list archives
Re: Is it dangerous to tweak http_inspect defaults
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 12 Oct 2011 15:38:20 -0400
I don't know if "dangerous" is the word I'd choose. However, we don't write our rules to take into consideration those configuration options at this time. We write our rules to the snort.conf that is shipped in the vrt tarball. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Oct 12, 2011, at 1:06 PM, Mike Lococo wrote:
On 10/12/2011 12:55 PM, Joel Esler wrote:What we call our "current" snort.conf is the .conf that is shipped in the VRT rules download tarball in the etc/ directory.I'll keep that in mind. I'm using the .conf for snort 2.9.1.1 which as you note is quite new.All Snort configurations require tuning for their environment (memory, rules enabled, locations, var's, etc), however the detection options should be enabled in order to provide full coverage and utilize the full features of Snort.To be clear, I'm interested in enabling *additional* options that appear to me that they should provide additional evasion protection. My question is whether that will have unintended consequences. It sounds like your response can be paraphrased as: "Yes, it's dangerous to enable additional http_inspect normalization like normalize_cookies, normalize_headers, and normalize_utf because we count on every installation using the config that we ship except for variations in memcaps, rules-enabled, and vars". Thanks, Mike Lococo
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Is it dangerous to tweak http_inspect defaults Mike Lococo (Oct 12)
- Re: Is it dangerous to tweak http_inspect defaults Joel Esler (Oct 12)
- Re: Is it dangerous to tweak http_inspect defaults Mike Lococo (Oct 12)
- Re: Is it dangerous to tweak http_inspect defaults Joel Esler (Oct 12)
- Re: Is it dangerous to tweak http_inspect defaults Mike Lococo (Oct 12)
- Re: Is it dangerous to tweak http_inspect defaults Joel Esler (Oct 12)