bmc at ...95...
Mon Aug 2 11:07:05 EDT 2004
On Jul 29, 2004, at 3:05 PM, Esler, Joel - Contractor wrote:
> detect_anomalous_servers config for http_inspect. When I turn it on,
> it works, but it detects return HTTP traffic as opposed to HTTP
> traffic to non $HTTP_SERVERS, I am assuming that this is the probem
> with it right now and they are going to fix it? Or do I have
> something misconfig?
The detect_anomalous_servers configuration option looks for HTTP
traffic on non-HTTP ports. Basically, if someone starts running a web
server on ports other than the ones you already have defined, snort
will generate the alert "(http_inspect) ANOMALOUS HTTP SERVER ON
UNDEFINED HTTP PORT" from this configuration.
More information about the Snort-sigs