Snort mailing list archives
Re: https and http_inspect gives *many* false positives
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Tue, 13 Jan 2004 13:40:39 +1300
On Tue, 2004-01-13 at 12:48, Edward van der Jagt wrote:
But I still would like to know if something unwanted is travelling through my proxy servers. If http_inspect is disabled for port 80, non-HTTPS requests will then be missed by the preprocessor. So if someone is attacking a server, internal (WAN) or external (Internet) by using some url based attack which http_inspect should detect, this url request will be made through the proxy (firewalls block direct access). Disabling the preprocessor is therefore not a desirable option.
All that only applies to internal attackers - correct? I mean your proxy server is only accessible by internal users isn't it? So do you really want to put up with this problem and the LARGE number of false positives you WILL see just so that you can discover if an internal user is attempting to break a Web server via your proxy? [I'm not saying that's a bad thing - it's just that most IDS people are only interested in external baddies - not internal] Anyway, as this is a preprocessor, I think you're out of luck. If these alerts were caused by "alert" rules, you could simply put a "pass" rule above them saying something like "ignore port 80 connections starting with the string CONNECT" - which would cause HTTPS proxied queries to be ignored, and the rest to be still analysed. However, as this is a preprocessor, such logic does not apply. Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- https and http_inspect gives *many* false positives Edward van der Jagt (Jan 12)
- Re: https and http_inspect gives *many* false positives Jason Haar (Jan 12)
- <Possible follow-ups>
- Re: https and http_inspect gives *many* false positives Edward van der Jagt (Jan 12)
- Re: https and http_inspect gives *many* false positives Jason Haar (Jan 12)
- Re: https and http_inspect gives *many* false positives Jason (Jan 12)
- Re: https and http_inspect gives *many* false positives Jason Haar (Jan 12)
- Re: https and http_inspect gives *many* false positives Edward van der Jagt (Jan 13)