[Snort-users] Configuration tradeoffs

Stewart L stewartl42 at ...11827...
Wed Aug 27 13:22:28 EDT 2008


Overnight.  It was a great webinar, BTW. :)

Here is an example of what I did...

# Global Settings
preprocessor http_inspect: global iis_unicode_map unicode.map 1252

# Linux Web Servers
preprocessor http_inspect_server: server 192.168.100.1 profile apache ports
{ 80 8080 8180 } oversize_dir_length 500
[snip about 40 similar lines with different IP addresses.]

#Default Windows server for the rest
preprocessor http_inspect_server: server default  profile iis ports { 80
8080 8180 } oversize_dir_length 500

Stewart

On Wed, Aug 27, 2008 at 1:12 PM, Joel Esler <eslerj at ...11827...> wrote:

> How long have you had this running?
> J
>
> On Aug 27, 2008, at 12:14 PM, Stewart L wrote:
>
> So,
>
> I sat through a Webinar on common mistakes made when setting up Snort.
> They mentioned that http_inspect needs to be configured to reduce false
> positives.
>
> I have my global configuration, I have my default server configuration,
> then I added about 40 server configuration lines for my Linux Servers.
>
> I'm seeing more packet loss since I configured all this up.   Went from
> about 0.1% loss to more than 2%.
>
> Am I doing something incorrect here? Or is this expected?
>
> --
> Stewart
> --
> You only lose what you cling to.
>  -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
>
> http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> --
> Joel Esler
>http://blog.joelesler.net
>http://www.dearcupertino.com
> [m]
>
>
>
>


-- 
Stewart
--
You only lose what you cling to.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080827/47830c27/attachment.html>


More information about the Snort-users mailing list