[Snort-users] Configuration tradeoffs

Joel Esler eslerj at ...11827...
Wed Aug 27 13:44:35 EDT 2008


On Aug 27, 2008, at 1:38 PM, Stewart L wrote:

> Left that in from the defaults.  I will change them.
> still, the defaults were searching for all those ports on every IP.   
> Seems like defining the extra server lines increased my drop rate.


Well, let's eliminate the issues one at a time.  Correct the ports,  
and we'll take it from there.

Joel

>
>
> On Wed, Aug 27, 2008 at 1:31 PM, Joel Esler <eslerj at ...11827...> wrote:
> On Aug 27, 2008, at 1:22 PM, Stewart L wrote:
>
>> Overnight.  It was a great webinar, BTW. :)
>
> Thanks.
>
>>
>>
>> Here is an example of what I did...
>>
>> # Global Settings
>> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>>
>> # Linux Web Servers
>> preprocessor http_inspect_server: server 192.168.100.1 profile  
>> apache ports { 80 8080 8180 } oversize_dir_length 500
>> [snip about 40 similar lines with different IP addresses.]
>
> Are all those ports in use by each one of the IPs?  Is 192.168.100.1  
> listening on 80 8080 and 8180?  Or only on 80?  How about the other  
> 39?
>
>>
>>
>> #Default Windows server for the rest
>> preprocessor http_inspect_server: server default  profile iis ports  
>> { 80 8080 8180 } oversize_dir_length 500
>
> Same thing.  What about the ports?
>
> J
>
>>
>>
>> Stewart
>>
>> On Wed, Aug 27, 2008 at 1:12 PM, Joel Esler <eslerj at ...11827...> wrote:
>> How long have you had this running?
>>
>> J
>>
>> On Aug 27, 2008, at 12:14 PM, Stewart L wrote:
>>
>>> So,
>>>
>>> I sat through a Webinar on common mistakes made when setting up  
>>> Snort.   They mentioned that http_inspect needs to be configured  
>>> to reduce false positives.
>>>
>>> I have my global configuration, I have my default server  
>>> configuration, then I added about 40 server configuration lines  
>>> for my Linux Servers.
>>>
>>> I'm seeing more packet loss since I configured all this up.   Went  
>>> from about 0.1% loss to more than 2%.
>>>
>>> Am I doing something incorrect here? Or is this expected?
>>>
>>> -- 
>>> Stewart
>>> --
>>> You only lose what you cling to.
>>> -------------------------------------------------------------------------
>>> This SF.Net email is sponsored by the Moblin Your Move Developer's  
>>> challenge
>>> Build the coolest Linux based applications with Moblin SDK & win  
>>> great prizes
>>> Grand prize is a trip for two to an Open Source event anywhere in  
>>> the world
>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>> --
>> Joel Esler
>>http://blog.joelesler.net
>>http://www.dearcupertino.com
>> [m]
>>
>>
>>
>>
>>
>>
>> -- 
>> Stewart
>> --
>> You only lose what you cling to.
>
>
>
> --
> Joel Esler
>http://blog.joelesler.net
>http://www.dearcupertino.com
> [m]
>
>
>
>
>
>
> -- 
> Stewart
> --
> You only lose what you cling to.


--
Joel Esler
  http://blog.joelesler.nethttp://www.dearcupertino.com
[m]



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080827/6c2702c4/attachment.html>


More information about the Snort-users mailing list