[Snort-users] flow:established still broken in

Jason Wallace jason.r.wallace at ...11827...
Thu Jun 30 16:26:10 EDT 2011

Not sure.

Definitely make sure 3128 is in "ports both" in stream5 and in "ports"
for http_inspect. Both of these are set in the default config in the
2.9.1_beta. Also add CONNECT to http_methods since only GET and POST
are included by default.

I would *guess* that to ignore the ssl traffic 3128 would also have to
be in the ssl preprossor port list, but I don't know what affect that
would have on performance since both HTTP and HTTPS are using the same


On Thu, Jun 30, 2011 at 12:06 AM, Jason Haar <Jason.Haar at ...294...> wrote:
> On 30/06/11 13:39, Jason Wallace wrote:
>> If you are frequently getting FP on ssl/tls/ssh traffic, even though
>> you have this data set to ignore in the ssl/ssh preprossors, then make
>> sure all your ports that are supporting this type of traffic are in
>> both the ssl/ssh preprocessors and in stream5.
> How does that work for a proxy? i.e. port 3128 supports both HTTP (via
> GET/POST/etc) and HTTPS (via CONNECT method - and indeed isn't
> guaranteed to be SSL anyway)
> Thanks
> --
> Cheers
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> Please see http://www.snort.org/docs for documentation

More information about the Snort-users mailing list