RE: Having http_inspect problems, can't turn options off]

[Daniel Roelker <droelker () sourcefire com>]

Hi Kenneth,

> I have recently experienced similar problems and this is what I have done to
> fix it. I turned off alerting because of the over abundance of False
> Positives. I believe that the false positives are in response to the SRC IP
> Address has a high port number. 

You were probably seeing encoding alerts because of the URL encodings
that various web clients were using on your network and the different
web applications that you are running.  Not because of a bug in the
processing.

The reason that you are seeing high src ports in the alerts is because
web clients use high src ports to communicate to web servers.  If you
look at your alerts, you'll see that the dst port is 80 (or another port
that you defined as an HTTP port).  This is the port that counts for the
encoding alerts, not the src port since that changes with each request
of the web client.

We are always trying to reduce false positives that occur with
http_inspect, so anyone that has false positive scenarios please email
them to either me or nigel[at]sourcefire[dot]com.  Packet dumps are
necessary for correct documentation of the false positive.

Thanks.

-- 
Daniel Roelker
Software Developer
Sourcefire, Inc.



-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users