Re: disable http_inspect for external www servers

[Jeremy Hewlett <jh () sourcefire com>]

On Wed, Sep 29, M Shirk wrote:
> My first reaction is to make an explicit rule with a SPECIAL_NET variable 
> to alert on, but then create a pass rule for anything other then the 
> SPECIAL_NET group.

This would work fine for rule-based alerts. However, Tim's issue was
that he was getting unwanted http_inspect preprocessor alerts.

We talked this over off-list to figure out the specific issue. The end
result was to add no_alerts to the "default" profile and add "server"
entries for any webservers/proxies (which he already did). In this
setup, http_inspect won't generate preprocessor alerts for
local->internet (but still normalizes).

..and on that note, in the Near Future (tm) we'll be adding the
ability for users to define servers with netmasks.



-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users