RE: Ok, Ok - I know - http_inspect

["Jeff Dell" <jdell () activeworx com>]

It sounds like you want to only limit it to a single class C? and not a
Class A? If this is the case you would want to change the subnet mask to /24
 
Cheers,
Jeff


  _____  

From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rowland, Krisa
W ERDC-ITL-MS Contractor
Sent: Wednesday, June 16, 2004 11:54 AM
To: 'Snort-users () lists sourceforge net'
Subject: [Snort-users] Ok, Ok - I know - http_inspect



I know I'm going to get slaughtered for even bringing up the subject of
http_inspect.  I've read through the old posts, and also read through the
manual.  I'm hoping that someone can offer clarification or guidance on
this, though.  I do not want to disable this option - but at the moment I'm
going to have to - just pouring out too many alerts.  

I tried to limit these alerts to only my webfarm subnet by doing this: 

preprocessor http_inspect_server: server x.x.x.0/8 \ 
    profile all ports { 80 8080 8180 } oversize_dir_length 500 

But it didn't like that.  I'd just like to restrict these alerts to one
subnet - how do I do that?  

Shouldn't I use the all profile if I'm pretty sure that I have apache and
IIS servers?  

Krisa Rowland 
ERDC Information Assurance Team 
(SAIC Contractor) 
3909 Halls Ferry Rd.,  Bldg. 8000 
Vicksburg, MS 39180 
601-634-2493 
krisa.w.rowland () erdc usace army mil