[Snort-sigs] http_inspect

Jeremy Hewlett jh at ...435...
Tue Aug 3 10:58:18 EDT 2004


On Thu, Jul 29, Esler, Joel - Contractor wrote:
> 
>    detect_anomalous_servers  config for http_inspect.  When I turn it on,
>    it  works,  but  it  detects  return  HTTP  traffic as opposed to HTTP
>    traffic  to  non  $HTTP_SERVERS, I am assuming that this is the probem
>    with  it  right  now  and  they  are  going  to  fix it?  Or do I have
>    something misconfig?

Hi Joel! Thanks for working with me on this.

For others who might be experiencing similar results, the issue is
related to not having a default entry for non-anomalous ports. We're
going to redefine anomalous servers to be specific to certain
network(s), we think this will help curb false alerts. Look for a
commit to HEAD in the Near Future (tm).







More information about the Snort-sigs mailing list