Re: https and http_inspect gives *many* false positives

[Jason Haar <Jason.Haar () trimble co nz>]

On Tue, 2004-01-13 at 12:06, Edward van der Jagt wrote:
> After enabling http_inspect and http_inspect_server I'm getting loads of
> events in my database (bare byte, non-rfc, U encoding, double decoding).
> Further inspection and testing shows that this is caused by HTTPS
> traffic
> between workstations and the WAN (or Internet) going through the proxy
> servers
> working on port 80.
>
> What should I change to get rid of these false positives ?

Tricky. You're not really meant to run proxy servers on port 80. Squid
defaults to 3128, M$ Proxy 8080, etc.

As you are running a proxy server on port 80, then such things as
HTTPS-CONNECT methods will indeed cause a lot of grief.

How about using "http_inspect_server: server 1.1.1.1" for your proxy's
IP address and tell sort it has a web server on some unused port such as
port 88 or the like. i.e. it will disable http_inspect for port 80
traffic.

Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users