[Snort-users] http_inspect question
jh at ...1935...
Thu Feb 3 08:34:42 EST 2005
On Wed, Feb 02, Rich Adamson wrote:
> (Currently seeing a number of alerts resulting from the generic
> definitions, all of which are associated with user workstations
> accessing external web sites. None of which seem to have any value.
Set your "default" server to no_alerts. This will turn off
http_inspect generated alerts, but not affect rule-based alerts.
> If I disable the preprocessor, will that impact any of the web-based
> rules? Will web rules based on External_Net -> Home_Net be interpreted
http_inspect needs to be enabled in order for traffic normalization to
work. Web rules requiring normalization will not function properly
if the traffic is obscured.
> Are there any reasonable cases where the preprocessor should be defined
> for external web servers when snort is located inside a Bank (as an
> example only)?
Only if you're concerned about that server, or what your users are
doing to those external servers.
More information about the Snort-users