[Snort-users] Do you have port 443 in $HTTP_PORTS and http_inspect_server?
l0rdch0de1m0rt at ...11827...
Fri Nov 21 14:28:56 EST 2014
Right now on my Snorts I do not have the TCP port 443 in the HTTP_PORTS
portvar or in the http_inspect_server port lists. But do you think I
should? Sometimes I have the malwares use 443 but not encrypted at all and
it would be nice to be able to use http_inspect buffers and have the PAF.
I also have 'noinspect_encrypted' on my SSL preprocessor configurations so
I am thinking that if I put 443 in for http_inspect it won't be a big deal
because I won't do inspection after success SSL handshake is detected
I am curious what other people do and there reasoning for this.
Have you ever thought about this? I dont' see the port 443 in the default
config that comes with snort so I am worried about doing it. How will it
Thanks && Cheers!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users