Re: http_inspect question

[Jeremy Hewlett <jh () sourcefire com>]

On Wed, Feb 02, Rich Adamson wrote:
> Questions:
> (Currently seeing a number of alerts resulting from the generic 
> definitions, all of which are associated with user workstations
> accessing external web sites. None of which seem to have any value.

Set your "default" server to no_alerts. This will turn off
http_inspect generated alerts, but not affect rule-based alerts.

> If I disable the preprocessor, will that impact any of the web-based
> rules? Will web rules based on External_Net -> Home_Net be interpreted
> correctly?)

http_inspect needs to be enabled in order for traffic normalization to
work. Web rules requiring normalization will not function properly
if the traffic is obscured.

> Are there any reasonable cases where the preprocessor should be defined
> for external web servers when snort is located inside a Bank (as an
> example only)?

Only if you're concerned about that server, or what your users are
doing to those external servers.



-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users