[Snort-users] flow:established still broken in

Jason Haar Jason.Haar at ...294...
Thu Jun 30 00:06:45 EDT 2011

On 30/06/11 13:39, Jason Wallace wrote:
> If you are frequently getting FP on ssl/tls/ssh traffic, even though
> you have this data set to ignore in the ssl/ssh preprossors, then make
> sure all your ports that are supporting this type of traffic are in
> both the ssl/ssh preprocessors and in stream5. 

How does that work for a proxy? i.e. port 3128 supports both HTTP (via
GET/POST/etc) and HTTPS (via CONNECT method - and indeed isn't
guaranteed to be SSL anyway)



Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list