Snort as IDS

[Jon Uriona <jurionamendi () yahoo es>]

Hi all,

I need to know if I need to apply web detection rules
(attacks, cgi, client, misc, php...) and preprocesor (http_inspect) to
devices acting as web proxies. I am getting thousand of alerts due to
those rules from my proxy clients and their external requests which I
believe all of them are false. Am I right?

And for web servers different than apache and IIS, do I have to apply
http_inspect with any profile?

I am trying to set up my http_inspect preprocessor.
If I have a Squid proxy listening on ports 80 and 8080, do I need to
configure a preprocessor http_inspect_server for it? And should I use
apache profile?

If I am using any other web server (neither IIS nor Apache), do I need
to configure a preprocessor http_inspect_server for it? If so, which
profile?

And same question about application servers, like AOL for example. Do I
need to configure http_inspect_server for it? Which profile?

Thanx in advance,

Jon

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------