[Snort-users] Pre-Processor Alerts based on Traffic Flow Direction
naman.latif at ...10264...
Fri Dec 5 15:11:01 EST 2003
Is it possible to define any rules for Preprocessors, so that Alerts are
only generated based on Traffic flow direction ?
I have the $HOME_NET defined for our local subnet as x.x.x.0/26.
However for http_decode pre-processor, I am getting a lot of False
http_decode: double encoding <snip> x.x.x.39:54391 y.y.y.y:80
Where source address (x.x.x.39) is actually the traffic from my Internal
Proxy Server to some External Server.
Can I control http_decode behavior to only alert for External-->Internal
Traffic only ?
More information about the Snort-users