[Snort-users] RE: [Snort-sigs] http_inspect

Esler, Joel - Contractor joel.esler at ...783...
Tue Aug 3 11:28:16 EDT 2004


Or !$HTTP_SERVERS

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Esler,
Joel - Contractor
Sent: Tuesday, August 03, 2004 2:23 PM
To: Jeremy Hewlett; snort-users at lists.sourceforge.net;
snort-sigs at lists.sourceforge.net
Subject: [Snort-users] RE: [Snort-sigs] http_inspect


This would be an awesome function to use, however, it should flag on
HTTP traffic !$HTTP_PORTS  That might be a bit easier to code.

J

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Jeremy
Hewlett
Sent: Tuesday, August 03, 2004 1:57 PM
To: snort-users at lists.sourceforge.net; snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] http_inspect


On Thu, Jul 29, Esler, Joel - Contractor wrote:
> 
>    detect_anomalous_servers  config for http_inspect.  When I turn it
on,
>    it  works,  but  it  detects  return  HTTP  traffic as opposed to
HTTP
>    traffic  to  non  $HTTP_SERVERS, I am assuming that this is the
probem
>    with  it  right  now  and  they  are  going  to  fix it?  Or do I
have
>    something misconfig?

Hi Joel! Thanks for working with me on this.

For others who might be experiencing similar results, the issue is
related to not having a default entry for non-anomalous ports. We're
going to redefine anomalous servers to be specific to certain
network(s), we think this will help curb false alerts. Look for a commit
to HEAD in the Near Future (tm).





-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users




More information about the Snort-sigs mailing list