Re: [Snort-users] Snort 2.1.0 - Shutting up http_inspect on non web servers

On Tue, 13 Jan 2004 12:31:03 -0800 (PST)
"James Nonya" <slave_tothe_box@yahoo.com> wrote:

> Any way to do this people? I've just
upgraded....and
> got some server profiles going with
> http_inspect_server, but I'm getting BOATLOADS of
> other http traffic in there as well. Help!!!
>
>
> __________________________________

Hehe...here's from a previous post:

preprocessor http_inspect_server: server default \
ports { 80 8080 } \
flow_depth 300 \
ascii no \
utf_8 no \
bare_byte no \
base36 no \
iis_unicode no \
double_decode no \
non_rfc_char { 0x00 } \
multi_slash no \
iis_backslash no \
directory no \
apache_whitespace no \
iis_delimiter no \
chunk_length 64000 \
non_strict

Then adding my real servers has nicely shut up
http_inspect for our client workstations. I'm
surprised that there is no option to simple say:

http_inspect_server: server $HTTP_SERVERS

that will only inspect servers, not clients accessing
outside servers.

James


__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus


-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users