Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Http_inspect: allow_proxy_use/no_alerts

From: Jeremy Hewlett <jh () sourcefire com>
Date: Mon, 5 Jan 2004 17:30:27 -0500
The Proxy functionality is really somewhat of an experimental feature
that we thought users might get some use out of - any feedback on how
to improve it is welcome. The proxy feature was meant to be used on an
internal network where you can configure the web access points.

comments in line - hopefully this will help....

On Wed, Dec 31, Martin McKeay wrote:

I've tried configuring the sensor to allow for the proxy, and I've tried the
no_alert option, but both still create a large number of alerts.   Here is the
relevant portions of our snort.conf:

preprocessor http_inspect: global iis_unicode_map unicode.map 1252 proxy_alert
preprocessor http_inspect: server default profile all ports { 80 8080 }
preprocessor http_inspect: server 10.4.1.45 no_alerts  --(or allow_proxy_use)--
preprocessor http_inspect: server 10.4.1.46 no_alerts


The reason you're still seeing proxy alerts is because you have a
server default profile that will alert on any proxy use. You can add
the no_alerts to the server default, and this should cut off all your
alerts.

The main thing here is that if you have any other servers that aren't
10.4.1.4{5,6} and don't have allow_proxy_use enabled, you will get
alerts on those ips.

If you use proxy_alert, you have to make sure all your http servers
are configured with allow_proxy_use, otherwise you'll run into this
problem... or you could use no_alerts on the server default. 

How allow proxy use currently works is that it assumes your network
uses one or more proxies to access the external net. This way you can
configure the proxies appropriately. If users don't have to use the
proxy, then you will get many alerts, like you're seeing.



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: