[Snort-users] Using http_Inspect Correctly

Kenneth Trimmmer kenneth.trimmer at ...12179...
Wed Aug 4 11:07:04 EDT 2004


I'm running Snort 2.2.0 and I am getting an overflow of HTTP_Inspect alerts.
I've looked through the Doc's and google to see how to set up the
http_inspect Preprocessor for my HTTP Servers. However, most if not all of
the alerts that are being generated are coming from External sources to
Non-http computers. Everything I read more or less instructs you on how to
turn off the preprocessor or get it to quiet the alerts by removing all of
its functionality. What I would like to do is continue to use this
preprocessor but I would appreciate some help on making sure it is
configured correctly. Is there any way to get this preprocessor to quiet
down or is this considered to be normal activity. My thoughts are that I
configure all of my servers with their own instance of the http_inspect
preprocessor then set the default to No-alerts. Is this correct? That way I
should only see traffic that's on my http servers and not on anything else.
Or do I have that completely backwards? Do I configure all of my servers to
no alerts and alert on the default? Any help would be greatly appreciated.  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040804/3dcbcad3/attachment.html>


More information about the Snort-users mailing list