Snort mailing list archives
Re: Http_inspect: allow_proxy_use/no_alerts
From: Jeremy Hewlett <jh () sourcefire com>
Date: Mon, 5 Jan 2004 17:30:27 -0500
The Proxy functionality is really somewhat of an experimental feature that we thought users might get some use out of - any feedback on how to improve it is welcome. The proxy feature was meant to be used on an internal network where you can configure the web access points. comments in line - hopefully this will help.... On Wed, Dec 31, Martin McKeay wrote:
I've tried configuring the sensor to allow for the proxy, and I've tried the no_alert option, but both still create a large number of alerts. Here is the relevant portions of our snort.conf: preprocessor http_inspect: global iis_unicode_map unicode.map 1252 proxy_alert preprocessor http_inspect: server default profile all ports { 80 8080 } preprocessor http_inspect: server 10.4.1.45 no_alerts --(or allow_proxy_use)-- preprocessor http_inspect: server 10.4.1.46 no_alerts
The reason you're still seeing proxy alerts is because you have a server default profile that will alert on any proxy use. You can add the no_alerts to the server default, and this should cut off all your alerts. The main thing here is that if you have any other servers that aren't 10.4.1.4{5,6} and don't have allow_proxy_use enabled, you will get alerts on those ips. If you use proxy_alert, you have to make sure all your http servers are configured with allow_proxy_use, otherwise you'll run into this problem... or you could use no_alerts on the server default. How allow proxy use currently works is that it assumes your network uses one or more proxies to access the external net. This way you can configure the proxies appropriately. If users don't have to use the proxy, then you will get many alerts, like you're seeing. ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Http_inspect: allow_proxy_use/no_alerts Jeremy Hewlett (Jan 05)