jh at ...435...
Tue Aug 3 10:58:18 EDT 2004
On Thu, Jul 29, Esler, Joel - Contractor wrote:
> detect_anomalous_servers config for http_inspect. When I turn it on,
> it works, but it detects return HTTP traffic as opposed to HTTP
> traffic to non $HTTP_SERVERS, I am assuming that this is the probem
> with it right now and they are going to fix it? Or do I have
> something misconfig?
Hi Joel! Thanks for working with me on this.
For others who might be experiencing similar results, the issue is
related to not having a default entry for non-anomalous ports. We're
going to redefine anomalous servers to be specific to certain
network(s), we think this will help curb false alerts. Look for a
commit to HEAD in the Near Future (tm).
More information about the Snort-sigs