[Snort-users] Do you have port 443 in $HTTP_PORTS and http_inspect_server?

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...11827...
Fri Nov 21 14:28:56 EST 2014


Right now on my Snorts I do not have the TCP port 443 in the HTTP_PORTS
portvar or in the http_inspect_server port lists.  But do you think I
should? Sometimes I have the malwares use 443 but not encrypted at all and
it would be nice to be able to use http_inspect buffers and have the PAF.

I also have 'noinspect_encrypted' on my SSL preprocessor configurations so
I am thinking that if I put 443 in for http_inspect it won't be a big deal
because I won't do inspection after success SSL handshake is detected

I am curious what other people do and there reasoning for this.

Have you ever thought about this?  I dont' see the port 443 in the default
config that comes with snort so I am worried about doing it.  How will it
impact performance?

Thanks && Cheers!

L0rd C.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141121/b499bb9e/attachment.html>

More information about the Snort-users mailing list