RE: [Snort-users] RE: [Snort-sigs] http_inspect
This is a discussion on RE: [Snort-users] RE: [Snort-sigs] http_inspect within the Snort forums, part of the System Security and Security Related category; Or !$HTTP_SERVERS -----Original Message----- From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net] On Behalf ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-03-2004
|
|||
|
|||
RE: [Snort-users] RE: [Snort-sigs] http_inspect
Or !$HTTP_SERVERS
-----Original Message----- From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Esler, Joel - Contractor Sent: Tuesday, August 03, 2004 2:23 PM To: Jeremy Hewlett; snort-users@lists.sourceforge.net; snort-sigs@lists.sourceforge.net Subject: [Snort-users] RE: [Snort-sigs] http_inspect This would be an awesome function to use, however, it should flag on HTTP traffic !$HTTP_PORTS That might be a bit easier to code. J -----Original Message----- From: snort-sigs-admin@lists.sourceforge.net [mailto:snort-sigs-admin@lists.sourceforge.net] On Behalf Of Jeremy Hewlett Sent: Tuesday, August 03, 2004 1:57 PM To: snort-users@lists.sourceforge.net; snort-sigs@lists.sourceforge.net Subject: Re: [Snort-sigs] http_inspect On Thu, Jul 29, Esler, Joel - Contractor wrote: >=20 > detect_anomalous_servers config for http_inspect. When I turn it on, > it works, but it detects return HTTP traffic as opposed to HTTP > traffic to non $HTTP_SERVERS, I am assuming that this is the probem > with it right now and they are going to fix it? Or do I have > something misconfig? Hi Joel! Thanks for working with me on this. For others who might be experiencing similar results, the issue is related to not having a default entry for non-anomalous ports. We're going to redefine anomalous servers to be specific to certain network(s), we think this will help curb false alerts. Look for a commit to HEAD in the Near Future (tm). ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-sigs mailing list Snort-sigs@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-sigs ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=3Dort-users ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
