Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Do you have port 443 in $HTTP_PORTS and ttp_inspect_server?

From: Joel Esler <jesler () cisco com>
Date: Fri, 21 Nov 2014 14:59:57 -0500
I’ve seen people do it, with mixed results.  Totally depends on the network, I would suppose.  You can test it and 
provide feedback.  I know, easy for me to say right?

On Friday, November 21, 2014 at 2:28 PM, L0rd Ch0de1m0rt wrote:


Hello.
 
Right now on my Snorts I do not have the TCP port 443 in the HTTP_PORTS portvar or in the http_inspect_server port 
lists.  But do you think I should? Sometimes I have the malwares use 443 but not encrypted at all and it would be 
nice to be able to use http_inspect buffers and have the PAF.
 
I also have 'noinspect_encrypted' on my SSL preprocessor configurations so I am thinking that if I put 443 in for 
http_inspect it won't be a big deal because I won't do inspection after success SSL handshake is detected right???
 
I am curious what other people do and there reasoning for this.
 
Have you ever thought about this?  I dont' see the port 443 in the default config that comes with snort so I am 
worried about doing it.  How will it impact performance?
 
Thanks && Cheers!
 
L0rd C.
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net (mailto:Snort-users () lists sourceforge net)
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
 
Please visit http://blog.snort.org to stay current on all the latest Snort news!  



------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: