Re: Hopefully someone else has a better grasp on HTTP/_Inspect

[Erek Adams <erek () snort org>]

On Fri, 30 Jan 2004, Jason Kolberg wrote:

> I have read through (not thoroughly so I may have missed something) the
> README for inspect, but I haven't seen how to eliminate outbound traffic
> easilly.  I hate to disable the inspection entirely - but so far all it
> has showed me is outbound packets which generally are binaries or
> encrypted.  I saw where you can set up specific servers - would I have to
> set up my servers and make default settings ignored?

You could use BPF filters.

        snort <options> "not src <internal_net>"

> If any of you can point me in the right direction - I'd be grateful.  I
> was happy to get Snort up and running with Acid fairly easilly.
>
> Also - as far as maintaining rules...  where is the best resource for
> finding rules to root out new vulnerabilities?  Is that from updating
> snort as it get's updated or is there another place I should look.  Is
> someone providing a subscription service?

        https://lists.sourceforge.net/lists/listinfo/snort-sigs

Cheers!

-----
Erek Adams

 "It looks just like a Telefunken U-47.  You'll love it..."  -- Frank Zappa


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users