Snort mailing list archives
Re: http_inspect question
From: Jeremy Hewlett <jh () sourcefire com>
Date: Thu, 3 Feb 2005 11:32:39 -0500
On Wed, Feb 02, Rich Adamson wrote:
Questions: (Currently seeing a number of alerts resulting from the generic definitions, all of which are associated with user workstations accessing external web sites. None of which seem to have any value.
Set your "default" server to no_alerts. This will turn off http_inspect generated alerts, but not affect rule-based alerts.
If I disable the preprocessor, will that impact any of the web-based rules? Will web rules based on External_Net -> Home_Net be interpreted correctly?)
http_inspect needs to be enabled in order for traffic normalization to work. Web rules requiring normalization will not function properly if the traffic is obscured.
Are there any reasonable cases where the preprocessor should be defined for external web servers when snort is located inside a Bank (as an example only)?
Only if you're concerned about that server, or what your users are doing to those external servers. ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- http_inspect question Rich Adamson (Feb 02)
- Re: http_inspect question Jeremy Hewlett (Feb 03)
- Snort rules sEc nErD (Feb 08)
- Re: http_inspect question Jeremy Hewlett (Feb 03)