Do you have port 443 in $HTTP_PORTS and http_inspect_server?

[L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>]

Hello.

Right now on my Snorts I do not have the TCP port 443 in the HTTP_PORTS
portvar or in the http_inspect_server port lists.  But do you think I
should? Sometimes I have the malwares use 443 but not encrypted at all and
it would be nice to be able to use http_inspect buffers and have the PAF.

I also have 'noinspect_encrypted' on my SSL preprocessor configurations so
I am thinking that if I put 443 in for http_inspect it won't be a big deal
because I won't do inspection after success SSL handshake is detected
right???

I am curious what other people do and there reasoning for this.

Have you ever thought about this?  I dont' see the port 443 in the default
config that comes with snort so I am worried about doing it.  How will it
impact performance?

Thanks && Cheers!

L0rd C.

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!