From: Kenneth Trimmmer (kenneth.trimmerparkvale.com)
Date: Wed Aug 04 2004 - 13:07:51 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'm running Snort 2.2.0 and I am getting an overflow of HTTP_Inspect alerts.
I've looked through the Doc's and google to see how to set up the
http_inspect Preprocessor for my HTTP Servers. However, most if not all of
the alerts that are being generated are coming from External sources to
Non-http computers. Everything I read more or less instructs you on how to
turn off the preprocessor or get it to quiet the alerts by removing all of
its functionality. What I would like to do is continue to use this
preprocessor but I would appreciate some help on making sure it is
configured correctly. Is there any way to get this preprocessor to quiet
down or is this considered to be normal activity. My thoughts are that I
configure all of my servers with their own instance of the http_inspect
preprocessor then set the default to No-alerts. Is this correct? That way I
should only see traffic that's on my http servers and not on anything else.
Or do I have that completely backwards? Do I configure all of my servers to
no alerts and alert on the default? Any help would be greatly appreciated.

-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]