[Snort-users] Configuration tradeoffs

Joel Esler eslerj at ...11827...
Wed Aug 27 13:31:12 EDT 2008


On Aug 27, 2008, at 1:22 PM, Stewart L wrote:

> Overnight.  It was a great webinar, BTW. :)

Thanks.

>
>
> Here is an example of what I did...
>
> # Global Settings
> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>
> # Linux Web Servers
> preprocessor http_inspect_server: server 192.168.100.1 profile  
> apache ports { 80 8080 8180 } oversize_dir_length 500
> [snip about 40 similar lines with different IP addresses.]

Are all those ports in use by each one of the IPs?  Is 192.168.100.1  
listening on 80 8080 and 8180?  Or only on 80?  How about the other 39?

>
>
> #Default Windows server for the rest
> preprocessor http_inspect_server: server default  profile iis ports  
> { 80 8080 8180 } oversize_dir_length 500

Same thing.  What about the ports?

J

>
>
> Stewart
>
> On Wed, Aug 27, 2008 at 1:12 PM, Joel Esler <eslerj at ...11827...> wrote:
> How long have you had this running?
>
> J
>
> On Aug 27, 2008, at 12:14 PM, Stewart L wrote:
>
>> So,
>>
>> I sat through a Webinar on common mistakes made when setting up  
>> Snort.   They mentioned that http_inspect needs to be configured to  
>> reduce false positives.
>>
>> I have my global configuration, I have my default server  
>> configuration, then I added about 40 server configuration lines for  
>> my Linux Servers.
>>
>> I'm seeing more packet loss since I configured all this up.   Went  
>> from about 0.1% loss to more than 2%.
>>
>> Am I doing something incorrect here? Or is this expected?
>>
>> -- 
>> Stewart
>> --
>> You only lose what you cling to.
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's  
>> challenge
>> Build the coolest Linux based applications with Moblin SDK & win  
>> great prizes
>> Grand prize is a trip for two to an Open Source event anywhere in  
>> the world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> --
> Joel Esler
>http://blog.joelesler.net
>http://www.dearcupertino.com
> [m]
>
>
>
>
>
>
> -- 
> Stewart
> --
> You only lose what you cling to.


--
Joel Esler
  http://blog.joelesler.nethttp://www.dearcupertino.com
[m]



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080827/a8926bde/attachment.html>


More information about the Snort-users mailing list