[Snort-users] http_inspect question

Jeremy Hewlett jh at ...1935...
Thu Feb 3 08:34:42 EST 2005


On Wed, Feb 02, Rich Adamson wrote:
> 
> Questions:
> (Currently seeing a number of alerts resulting from the generic 
> definitions, all of which are associated with user workstations
> accessing external web sites. None of which seem to have any value.

Set your "default" server to no_alerts. This will turn off
http_inspect generated alerts, but not affect rule-based alerts.

> If I disable the preprocessor, will that impact any of the web-based
> rules? Will web rules based on External_Net -> Home_Net be interpreted
> correctly?)

http_inspect needs to be enabled in order for traffic normalization to
work. Web rules requiring normalization will not function properly
if the traffic is obscured.

> Are there any reasonable cases where the preprocessor should be defined
> for external web servers when snort is located inside a Bank (as an
> example only)?

Only if you're concerned about that server, or what your users are
doing to those external servers.





More information about the Snort-users mailing list