[Snort-users] Do you have port 443 in $HTTP_PORTS and ttp_inspect_server?

Joel Esler jesler at ...589...
Fri Nov 21 14:59:57 EST 2014


I’ve seen people do it, with mixed results.  Totally depends on the network, I would suppose.  You can test it and provide feedback.  I know, easy for me to say right?

On Friday, November 21, 2014 at 2:28 PM, L0rd Ch0de1m0rt wrote:

> Hello.
>  
> Right now on my Snorts I do not have the TCP port 443 in the HTTP_PORTS portvar or in the http_inspect_server port lists.  But do you think I should? Sometimes I have the malwares use 443 but not encrypted at all and it would be nice to be able to use http_inspect buffers and have the PAF.
>  
> I also have 'noinspect_encrypted' on my SSL preprocessor configurations so I am thinking that if I put 443 in for http_inspect it won't be a big deal because I won't do inspection after success SSL handshake is detected right???
>  
> I am curious what other people do and there reasoning for this.
>  
> Have you ever thought about this?  I dont' see the port 443 in the default config that comes with snort so I am worried about doing it.  How will it impact performance?
>  
> Thanks && Cheers!
>  
> L0rd C.
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
>  
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net (mailto:Snort-users at ...973...et)
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>  
> Please visit http://blog.snort.org to stay current on all the latest Snort news!  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141121/423fd0ac/attachment.html>


More information about the Snort-users mailing list