[Snort-sigs] http_inspect

Brian caswell bmc at ...95...
Mon Aug 2 11:07:05 EDT 2004


On Jul 29, 2004, at 3:05 PM, Esler, Joel - Contractor wrote:

> detect_anomalous_servers config for http_inspect.  When I turn it on, 
> it works, but it detects return HTTP traffic as opposed to HTTP 
> traffic to non $HTTP_SERVERS, I am assuming that this is the probem 
> with it right now and they are going to fix it?  Or do I have 
> something misconfig?
>

The detect_anomalous_servers configuration option looks for HTTP 
traffic on non-HTTP ports.  Basically, if someone starts running a web 
server on ports other than the ones you already have defined, snort 
will generate the alert "(http_inspect) ANOMALOUS HTTP SERVER ON 
UNDEFINED HTTP PORT" from this configuration.

Brian




More information about the Snort-sigs mailing list