Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Http_inspect: allow_proxy_use/no_alerts

From: Martin McKeay <mmckeay () yahoo com>
Date: Wed, 31 Dec 2003 08:02:11 -0800 (PST)
Greetings all,

Yesterday afternoon I bit the bullet and upgraded the company's main snort
server to the 2.1.0 rev (from 2.0.3).  Our first problem was the OS: Solaris 9.
 Once the issues with this had been resolved, we had to deal with the changes
to the preprocessors.  We now have most of the changes made, but we are still
running into a problem with the http_inspect preprocessor creating massive
amounts of alerts on traffic outbound from our proxies.  

I've tried configuring the sensor to allow for the proxy, and I've tried the
no_alert option, but both still create a large number of alerts.   Here is the
relevant portions of our snort.conf:

preprocessor http_inspect: global iis_unicode_map unicode.map 1252 proxy_alert
preprocessor http_inspect: server default profile all ports { 80 8080 }
preprocessor http_inspect: server 10.4.1.45 no_alerts  --(or allow_proxy_use)--
preprocessor http_inspect: server 10.4.1.46 no_alerts

In either case, it seems to be alerting on the traffic outbound from the proxy
server.  The no_alerts option cuts down on the number of alerts, but does not
completely stop them.  I've been over the user manual a number of times, and
googled to find a solution, but so far no luck.  I just want to stop the alerts
on the outbound proxy traffic.  

Thanks in advance for any help,







=====
Martin McKeay, CISSP, CCNA
http://www.mckeay.net
707-529-7701
marty () mckeay net

__________________________________
Do you Yahoo!?
Find out what made the Top Yahoo! Searches of 2003
http://search.yahoo.com/top2003


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: