|
Home > Archive > Snort > September 2004 > [Snort-users] disable http_inspect for external www servers
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
[Snort-users] disable http_inspect for external www servers
|
|
| Tim Bernhardson 2004-09-27, 8:45 pm |
| Running Snort 2.2.0, have http_inspect enableed but 98+% of alerts are
for Traffic between Squid and External WWW Servers.
Is there any way to telll http_inspect to only inspect servers on a
specific subnet (I.E. 192.168.0.0/255.255.0.0)? or to ignore all traffic
from a specific IP Address?
I have read through the doucmentation and browsed the web and have not
had any luck finding an answer.
Thanks
Tim Bernhardson
Senior Technical Engineer
Certified Citrix Metaframe Administrator
Certified CyberGuard Administrator
Certified AIX 4.3 System Administrator
Sun-Maid Growers of California
7273 Murray Drive, Ste 18
Stockton, CA 95210
tbernhar at sunmaid dot com
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
|
| I do not think there is a way within http_inspect to do what you want.
You should consider using suppression to suppress all of the
http_inspect alerts for that that destination address.
http://www.snort.org/docs/snort_manual/node12.html
Tim Bernhardson wrote:
> Running Snort 2.2.0, have http_inspect enableed but 98+% of alerts are
> for Traffic between Squid and External WWW Servers.
> Is there any way to telll http_inspect to only inspect servers on a
> specific subnet (I.E. 192.168.0.0/255.255.0.0)? or to ignore all traffic
> from a specific IP Address?
>
> I have read through the doucmentation and browsed the web and have not
> had any luck finding an answer.
>
> Thanks
>
> Tim Bernhardson
> Senior Technical Engineer
> Certified Citrix Metaframe Administrator
> Certified CyberGuard Administrator
> Certified AIX 4.3 System Administrator
> Sun-Maid Growers of California
> 7273 Murray Drive, Ste 18
> Stockton, CA 95210
>
> tbernhar at sunmaid dot com
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> Project Admins to receive an Apple iPod Mini FREE for your judgement on
> who ports your project to Linux PPC the best. Sponsored by IBM.
> Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
> ________________________________________
_______
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists...nfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf....ist=snort-users
>
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| M Shirk 2004-09-29, 7:57 pm |
| Leads to a good question for the list.
My first reaction is to make an explicit rule with a SPECIAL_NET variable to
alert on, but then create a pass rule for anything other then the
SPECIAL_NET group.
However, is this the best approach? (Question to list)
Shirkdog
>From: "Tim Bernhardson" <TBERNHAR@SunMaid.com>
>To: <snort-users@lists.sourceforge.net>
>Subject: [Snort-users] disable http_inspect for external www servers
>Date: Mon, 27 Sep 2004 16:46:50 -0700
>
>Running Snort 2.2.0, have http_inspect enableed but 98+% of alerts are
>for Traffic between Squid and External WWW Servers.
>Is there any way to telll http_inspect to only inspect servers on a
>specific subnet (I.E. 192.168.0.0/255.255.0.0)? or to ignore all traffic
>from a specific IP Address?
>
>I have read through the doucmentation and browsed the web and have not
>had any luck finding an answer.
>
>Thanks
>
>Tim Bernhardson
>Senior Technical Engineer
>Certified Citrix Metaframe Administrator
>Certified CyberGuard Administrator
>Certified AIX 4.3 System Administrator
>Sun-Maid Growers of California
>7273 Murray Drive, Ste 18
>Stockton, CA 95210
>
>tbernhar at sunmaid dot com
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
>Project Admins to receive an Apple iPod Mini FREE for your judgement on
>who ports your project to Linux PPC the best. Sponsored by IBM.
>Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
> ________________________________________
_______
>Snort-users mailing list
>Snort-users@lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists...nfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf....ist=snort-users
________________________________________
_________________________
Don’t just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/...6ave/direct/01/
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjourn...guidepromo.tmpl
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Jeremy Hewlett 2004-09-30, 10:36 am |
| On Wed, Sep 29, M Shirk wrote:
> My first reaction is to make an explicit rule with a SPECIAL_NET variable
> to alert on, but then create a pass rule for anything other then the
> SPECIAL_NET group.
This would work fine for rule-based alerts. However, Tim's issue was
that he was getting unwanted http_inspect preprocessor alerts.
We talked this over off-list to figure out the specific issue. The end
result was to add no_alerts to the "default" profile and add "server"
entries for any webservers/proxies (which he already did). In this
setup, http_inspect won't generate preprocessor alerts for
local->internet (but still normalizes).
...and on that note, in the Near Future (tm) we'll be adding the
ability for users to define servers with netmasks.
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjourn...guidepromo.tmpl
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
|
|
|
|
|