[Snort-users] disable http_inspect for external www servers

Jeremy Hewlett jh at ...1935...
Thu Sep 30 09:08:01 EDT 2004


On Wed, Sep 29, M Shirk wrote:
> My first reaction is to make an explicit rule with a SPECIAL_NET variable 
> to alert on, but then create a pass rule for anything other then the 
> SPECIAL_NET group.

This would work fine for rule-based alerts. However, Tim's issue was
that he was getting unwanted http_inspect preprocessor alerts.

We talked this over off-list to figure out the specific issue. The end
result was to add no_alerts to the "default" profile and add "server"
entries for any webservers/proxies (which he already did). In this
setup, http_inspect won't generate preprocessor alerts for
local->internet (but still normalizes).

..and on that note, in the Near Future (tm) we'll be adding the
ability for users to define servers with netmasks.





More information about the Snort-users mailing list