[Snort-users] (no subject)
This is a discussion on [Snort-users] (no subject) within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. ------=_NextPart_000_0008_01C47895.9F6F2CA0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=&...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-02-2004
|
|||
|
|||
[Snort-users] (no subject)
This is a multi-part message in MIME format.
------=_NextPart_000_0008_01C47895.9F6F2CA0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii" I just upgraded to the current version of Snort. Now, I am getting multiple Http_Inspect Alerts. Most of the payloads look like normal web traffic. My previous version of snort didn't have the HTTP_Insepct Preprocessor. So, I am a little confused on the importance of the Http_Inspect and it's configuration. Here are my questions. 1. Why are there so many alerts on normal traffic? 2. Is this preprocessor necessary? 3. Do I have to configure the preprocessor for every web server we run, or will the default settings be OK. 4. Is it unwise to turn if off? I have read through the Documentation from SNORT on this preprocessor and still can't seem to answer my questions. ------=_NextPart_000_0008_01C47895.9F6F2CA0 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="us-ascii" <html xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns=3D"http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)"> <style> <!-- /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline;} p {mso-margin-top-alt:auto; margin-right:0in; mso-margin-bottom-alt:auto; margin-left:0in; font-size:12.0pt; font-family:"Times New Roman";} span.EmailStyle17 {mso-style-type:personal-compose; font-family:Arial; color:windowtext;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in;} div.Section1 {page:Section1;} --> </style> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple> <div class=3DSection1> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'>I just upgraded to the current version of Snort. Now, I am = getting multiple Http_Inspect Alerts. Most of the payloads look like normal web = traffic. My previous version of snort didn’t have the HTTP_Insepct = Preprocessor. So, I am a little confused on the importance of the Http_Inspect and = it’s configuration. Here are my questions. = <o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'>1. Why are there so many alerts on normal = traffic?<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'>2. Is this preprocessor necessary?<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'>3. Do I have to configure the preprocessor for every web server = we run, or will the default settings be OK. <o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'>4. Is it unwise to turn if off?<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'>I have read through the Documentation from SNORT on this = preprocessor and still can’t seem to answer my questions. = <o:p></o:p></span></font></p> </div> </body> </html> ------=_NextPart_000_0008_01C47895.9F6F2CA0-- ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
