[Snort-users] disable http_inspect for external www servers
jh at ...1935...
Thu Sep 30 09:08:01 EDT 2004
On Wed, Sep 29, M Shirk wrote:
> My first reaction is to make an explicit rule with a SPECIAL_NET variable
> to alert on, but then create a pass rule for anything other then the
> SPECIAL_NET group.
This would work fine for rule-based alerts. However, Tim's issue was
that he was getting unwanted http_inspect preprocessor alerts.
We talked this over off-list to figure out the specific issue. The end
result was to add no_alerts to the "default" profile and add "server"
entries for any webservers/proxies (which he already did). In this
setup, http_inspect won't generate preprocessor alerts for
local->internet (but still normalizes).
..and on that note, in the Near Future (tm) we'll be adding the
ability for users to define servers with netmasks.
More information about the Snort-users