http_inspect question

[Rich Adamson <radamson () routers com>]

Been around snort since v1.8 and have read the README.http_inspect and
the manual relative to the http_inspect preprocessor.

Questions:
1. In a small network environment with _no_ internal web server, does the
http_inspect preprocessor have any value?  
(Currently seeing a number of alerts resulting from the generic 
definitions, all of which are associated with user workstations
accessing external web sites. None of which seem to have any value.
If I disable the preprocessor, will that impact any of the web-based
rules? Will web rules based on External_Net -> Home_Net be interpreted
correctly?)

2. All of the documentation suggest the preprocessor is intended to
identify issues associated with a web "server" (presumably internal).
Are there any reasonable cases where the preprocessor should be defined
for external web servers when snort is located inside a Bank (as an
example only)?

Comments?




-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users