Snort mailing list archives
Http_inspect: allow_proxy_use/no_alerts
From: Martin McKeay <mmckeay () yahoo com>
Date: Wed, 31 Dec 2003 08:02:11 -0800 (PST)
Greetings all, Yesterday afternoon I bit the bullet and upgraded the company's main snort server to the 2.1.0 rev (from 2.0.3). Our first problem was the OS: Solaris 9. Once the issues with this had been resolved, we had to deal with the changes to the preprocessors. We now have most of the changes made, but we are still running into a problem with the http_inspect preprocessor creating massive amounts of alerts on traffic outbound from our proxies. I've tried configuring the sensor to allow for the proxy, and I've tried the no_alert option, but both still create a large number of alerts. Here is the relevant portions of our snort.conf: preprocessor http_inspect: global iis_unicode_map unicode.map 1252 proxy_alert preprocessor http_inspect: server default profile all ports { 80 8080 } preprocessor http_inspect: server 10.4.1.45 no_alerts --(or allow_proxy_use)-- preprocessor http_inspect: server 10.4.1.46 no_alerts In either case, it seems to be alerting on the traffic outbound from the proxy server. The no_alerts option cuts down on the number of alerts, but does not completely stop them. I've been over the user manual a number of times, and googled to find a solution, but so far no luck. I just want to stop the alerts on the outbound proxy traffic. Thanks in advance for any help, ===== Martin McKeay, CISSP, CCNA http://www.mckeay.net 707-529-7701 marty () mckeay net __________________________________ Do you Yahoo!? Find out what made the Top Yahoo! Searches of 2003 http://search.yahoo.com/top2003 ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Http_inspect: allow_proxy_use/no_alerts Martin McKeay (Dec 31)