[Snort-users] Http_inspect: allow_proxy_use/no_alerts

Martin McKeay mmckeay at ...131...
Wed Dec 31 08:10:06 EST 2003


Greetings all,

Yesterday afternoon I bit the bullet and upgraded the company's main snort
server to the 2.1.0 rev (from 2.0.3).  Our first problem was the OS: Solaris 9.
 Once the issues with this had been resolved, we had to deal with the changes
to the preprocessors.  We now have most of the changes made, but we are still
running into a problem with the http_inspect preprocessor creating massive
amounts of alerts on traffic outbound from our proxies.  

I've tried configuring the sensor to allow for the proxy, and I've tried the
no_alert option, but both still create a large number of alerts.   Here is the
relevant portions of our snort.conf:

preprocessor http_inspect: global iis_unicode_map unicode.map 1252 proxy_alert
preprocessor http_inspect: server default profile all ports { 80 8080 }
preprocessor http_inspect: server 10.4.1.45 no_alerts  --(or allow_proxy_use)--
preprocessor http_inspect: server 10.4.1.46 no_alerts

In either case, it seems to be alerting on the traffic outbound from the proxy
server.  The no_alerts option cuts down on the number of alerts, but does not
completely stop them.  I've been over the user manual a number of times, and
googled to find a solution, but so far no luck.  I just want to stop the alerts
on the outbound proxy traffic.  

Thanks in advance for any help,







=====
Martin McKeay, CISSP, CCNA
http://www.mckeay.net
707-529-7701
marty at ...10866...

__________________________________
Do you Yahoo!?
Find out what made the Top Yahoo! Searches of 2003
http://search.yahoo.com/top2003




More information about the Snort-users mailing list