Re: Snort 2.1.0 - Shutting up http_inspect on non web servers

[James Nonya <slave_tothe_box () yahoo com>]

On Tue, 13 Jan 2004 12:31:03 -0800 (PST)
"James Nonya" <slave_tothe_box () yahoo com> wrote:

> Any way to do this people?  I've just
upgraded....and
> got some server profiles going with
> http_inspect_server, but I'm getting BOATLOADS of
> other http traffic in there as well.  Help!!!
>
>
> __________________________________

Hehe...here's from a previous post:

preprocessor http_inspect_server: server default \
    ports { 80 8080 } \
    flow_depth 300 \
    ascii no \
    utf_8 no \
    bare_byte no \
    base36 no \
    iis_unicode no \
    double_decode no \
    non_rfc_char { 0x00 } \
    multi_slash no \
    iis_backslash no \
    directory no \
    apache_whitespace no \
    iis_delimiter no \
    chunk_length 64000 \
    non_strict

Then adding my real servers has nicely shut up
http_inspect for our client workstations.  I'm
surprised that there is no option to simple say:

http_inspect_server: server $HTTP_SERVERS

that will only inspect servers, not clients accessing
outside servers.

James


__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus


-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users