[Snort-users] disable http_inspect for external www servers

M Shirk shirkdog_linux at ...125...
Wed Sep 29 04:57:53 EDT 2004

Leads to a good question for the list.

My first reaction is to make an explicit rule with a SPECIAL_NET variable to 
alert on, but then create a pass rule for anything other then the 

However, is this the best approach? (Question to list)


>From: "Tim Bernhardson" <TBERNHAR at ...12484...>
>To: <snort-users at lists.sourceforge.net>
>Subject: [Snort-users] disable http_inspect for external www servers
>Date: Mon, 27 Sep 2004 16:46:50 -0700
>Running Snort 2.2.0, have http_inspect enableed but 98+% of alerts are
>for Traffic between Squid and External WWW Servers.
>Is there any way to telll http_inspect to only inspect servers on a
>specific subnet (I.E. or to ignore all traffic
>from a specific IP Address?
>I have read through the doucmentation and browsed the web and have not
>had any luck finding an answer.
>Tim Bernhardson
>Senior Technical Engineer
>Certified Citrix Metaframe Administrator
>Certified CyberGuard Administrator
>Certified AIX 4.3 System Administrator
>Sun-Maid Growers of California
>7273 Murray Drive, Ste 18
>Stockton, CA 95210
>tbernhar at sunmaid dot com
>This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
>Project Admins to receive an Apple iPod Mini FREE for your judgement on
>who ports your project to Linux PPC the best. Sponsored by IBM.
>Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

Don’t just search. Find. Check out the new MSN Search! 

More information about the Snort-users mailing list