Snort mailing list archives
Re: Do you have port 443 in $HTTP_PORTS and ttp_inspect_server?
From: Joel Esler <jesler () cisco com>
Date: Fri, 21 Nov 2014 14:59:57 -0500
I’ve seen people do it, with mixed results. Totally depends on the network, I would suppose. You can test it and provide feedback. I know, easy for me to say right? On Friday, November 21, 2014 at 2:28 PM, L0rd Ch0de1m0rt wrote:
Hello. Right now on my Snorts I do not have the TCP port 443 in the HTTP_PORTS portvar or in the http_inspect_server port lists. But do you think I should? Sometimes I have the malwares use 443 but not encrypted at all and it would be nice to be able to use http_inspect buffers and have the PAF. I also have 'noinspect_encrypted' on my SSL preprocessor configurations so I am thinking that if I put 443 in for http_inspect it won't be a big deal because I won't do inspection after success SSL handshake is detected right??? I am curious what other people do and there reasoning for this. Have you ever thought about this? I dont' see the port 443 in the default config that comes with snort so I am worried about doing it. How will it impact performance? Thanks && Cheers! L0rd C. ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net (mailto:Snort-users () lists sourceforge net) Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Do you have port 443 in $HTTP_PORTS and http_inspect_server? L0rd Ch0de1m0rt (Nov 21)
- Re: Do you have port 443 in $HTTP_PORTS and ttp_inspect_server? Joel Esler (Nov 21)