[Snort-users] Hosts Attribute exception/override?

Jefferson, Shawn Shawn.Jefferson at ...14448...
Thu Jan 22 14:48:45 EST 2015

I recently made some changes on the network, and was trying to get alerting setup for a proxy server.  I had some trouble and finally tracked it down to the hosts attribute entry for my proxy.  I'm using PRADS and shipping that file to all my sensors.  Basically what had happened was that PRADS thinks that the proxy port 3128 is TLS/SSL, which it can be, but it's also HTTP.  Snort was completely ignoring the HTTP traffic for that port, even though I had 3128 in all the right places in the snort.conf, and treating the proxy as EXTERNAL_NET.

Is there a method to override the hosts attribute table, or should I strip this system out before sending it to this particular sensor that is watching the proxy traffic?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150122/ca97607b/attachment.html>

More information about the Snort-users mailing list