[Snort-users] Configuration tradeoffs

Stewart L stewartl42 at ...11827...
Wed Aug 27 13:38:59 EDT 2008


Left that in from the defaults.  I will change them.
still, the defaults were searching for all those ports on every IP.  Seems
like defining the extra server lines increased my drop rate.

On Wed, Aug 27, 2008 at 1:31 PM, Joel Esler <eslerj at ...11827...> wrote:

> On Aug 27, 2008, at 1:22 PM, Stewart L wrote:
>
> Overnight.  It was a great webinar, BTW. :)
>
>
> Thanks.
>
>
>
> Here is an example of what I did...
>
> # Global Settings
> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>
> # Linux Web Servers
> preprocessor http_inspect_server: server 192.168.100.1 profile apache
> ports { 80 8080 8180 } oversize_dir_length 500
> [snip about 40 similar lines with different IP addresses.]
>
>
> Are all those ports in use by each one of the IPs?  Is 192.168.100.1listening on 80 8080 and 8180?  Or only on 80?  How about the other 39?
>
>
>
> #Default Windows server for the rest
> preprocessor http_inspect_server: server default  profile iis ports { 80
> 8080 8180 } oversize_dir_length 500
>
>
> Same thing.  What about the ports?
>
> J
>
>
>
> Stewart
>
> On Wed, Aug 27, 2008 at 1:12 PM, Joel Esler <eslerj at ...11827...> wrote:
>
>> How long have you had this running?
>> J
>>
>> On Aug 27, 2008, at 12:14 PM, Stewart L wrote:
>>
>> So,
>>
>> I sat through a Webinar on common mistakes made when setting up Snort.
>> They mentioned that http_inspect needs to be configured to reduce false
>> positives.
>>
>> I have my global configuration, I have my default server configuration,
>> then I added about 40 server configuration lines for my Linux Servers.
>>
>> I'm seeing more packet loss since I configured all this up.   Went from
>> about 0.1% loss to more than 2%.
>>
>> Am I doing something incorrect here? Or is this expected?
>>
>> --
>> Stewart
>> --
>> You only lose what you cling to.
>>  -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's
>> challenge
>> Build the coolest Linux based applications with Moblin SDK & win great
>> prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the
>> world
>>
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>>
>> --
>> Joel Esler
>>http://blog.joelesler.net
>>http://www.dearcupertino.com
>> [m]
>>
>>
>>
>>
>
>
> --
> Stewart
> --
> You only lose what you cling to.
>
>
>
> --
> Joel Esler
>http://blog.joelesler.net
>http://www.dearcupertino.com
> [m]
>
>
>
>


-- 
Stewart
--
You only lose what you cling to.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080827/9d1a937a/attachment.html>


More information about the Snort-users mailing list