[Snort-users] Re: [Snort-sigs] http_inspect

Brian caswell bmc at ...950...
Mon Aug 2 11:07:10 EDT 2004

On Jul 29, 2004, at 3:05 PM, Esler, Joel - Contractor wrote:

> detect_anomalous_servers config for http_inspect.  When I turn it on, 
> it works, but it detects return HTTP traffic as opposed to HTTP 
> traffic to non $HTTP_SERVERS, I am assuming that this is the probem 
> with it right now and they are going to fix it?  Or do I have 
> something misconfig?

The detect_anomalous_servers configuration option looks for HTTP 
traffic on non-HTTP ports.  Basically, if someone starts running a web 
server on ports other than the ones you already have defined, snort 
will generate the alert "(http_inspect) ANOMALOUS HTTP SERVER ON 
UNDEFINED HTTP PORT" from this configuration.


More information about the Snort-users mailing list