[Snort-users] Pre-Processor Alerts based on Traffic Flow Direction

Naman Latif naman.latif at ...10264...
Fri Dec 5 15:11:01 EST 2003

Is it possible to define any rules for Preprocessors, so that Alerts are
only generated based on Traffic flow direction ?

I have the $HOME_NET defined for our local subnet as x.x.x.0/26.
However for http_decode pre-processor, I am getting a lot of False
Positives as 

http_decode: double encoding  <snip> x.x.x.39:54391        y.y.y.y:80

Where source address (x.x.x.39) is actually the traffic from my Internal
Proxy Server to some External Server.

Can I control http_decode behavior to only alert for External-->Internal
Traffic only ?

\\ Naman

More information about the Snort-users mailing list