[Snort-users] http_inspect

Jefferson, Shawn Shawn.Jefferson at ...14448...
Tue Nov 10 14:43:49 EST 2009

Thanks, I guess I missed that in the docs!


-----Original Message-----
From: Jason Wallace [mailto:jason.r.wallace at ...11827...] 
Sent: Tuesday, November 10, 2009 11:42 AM
To: Jefferson, Shawn
Cc: Snort Users List
Subject: Re: [Snort-users] http_inspect

Per the docs...

The 'yes/no' argument does not specify whether the configuration option
itself is on or off, only the alerting functionality.

On Tue, Nov 10, 2009 at 1:32 PM, Jefferson, Shawn
<Shawn.Jefferson at ...14448...> wrote:
> Hi,
> I'm looking at tuning the http_inspect pre-processor, specifically some of
> the false positives I get from this.
> My question is, if you set some of these options:
> u_encode no
> bare_byte no
> iis_unicode no
> double_decode no
> Will that affect the ability for snort to process some of the http specific
> rules in the ruleset?  Does it affect the normalization of http traffic, or
> just turn off these specific alerts?
> --
> Shawn
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list