Snort mailing list archives
Re: flow:established still broken in 2.9.0.5?
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Thu, 30 Jun 2011 16:26:10 -0400
Not sure. Definitely make sure 3128 is in "ports both" in stream5 and in "ports" for http_inspect. Both of these are set in the default config in the 2.9.1_beta. Also add CONNECT to http_methods since only GET and POST are included by default. I would *guess* that to ignore the ssl traffic 3128 would also have to be in the ssl preprossor port list, but I don't know what affect that would have on performance since both HTTP and HTTPS are using the same port. Wally On Thu, Jun 30, 2011 at 12:06 AM, Jason Haar <Jason.Haar () trimble co nz> wrote:
On 30/06/11 13:39, Jason Wallace wrote:If you are frequently getting FP on ssl/tls/ssh traffic, even though you have this data set to ignore in the ssl/ssh preprossors, then make sure all your ports that are supporting this type of traffic are in both the ssl/ssh preprocessors and in stream5.How does that work for a proxy? i.e. port 3128 supports both HTTP (via GET/POST/etc) and HTTPS (via CONNECT method - and indeed isn't guaranteed to be SSL anyway) Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- Re: FP shows snort-2.9.0.3 confused over packets and sessions, (continued)
- Re: FP shows snort-2.9.0.3 confused over packets and sessions Jason Haar (May 11)
- flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions) Jason Haar (Jun 29)
- Re: flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions) Joel Esler (Jun 29)
- Re: flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions) Matthew Jonkman (Jun 29)
- Re: flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions) Joel Esler (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Jason Haar (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Russ Combs (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Jason Haar (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Jason Wallace (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Jason Haar (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Jason Wallace (Jun 30)
- Re: FP shows snort-2.9.0.3 confused over packets and sessions Jason Haar (May 11)