[Snort-users] RE: [Snort-sigs] http_inspect
Esler, Joel - Contractor
joel.esler at ...9426...
Tue Aug 3 11:23:07 EDT 2004
This would be an awesome function to use, however, it should flag on
HTTP traffic !$HTTP_PORTS That might be a bit easier to code.
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Jeremy
Sent: Tuesday, August 03, 2004 1:57 PM
To: snort-users at lists.sourceforge.net; snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] http_inspect
On Thu, Jul 29, Esler, Joel - Contractor wrote:
> detect_anomalous_servers config for http_inspect. When I turn it
> it works, but it detects return HTTP traffic as opposed to
> traffic to non $HTTP_SERVERS, I am assuming that this is the
> with it right now and they are going to fix it? Or do I
> something misconfig?
Hi Joel! Thanks for working with me on this.
For others who might be experiencing similar results, the issue is
related to not having a default entry for non-anomalous ports. We're
going to redefine anomalous servers to be specific to certain
network(s), we think this will help curb false alerts. Look for a commit
to HEAD in the Near Future (tm).
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
More information about the Snort-users