Re: Is it dangerous to tweak http_inspect defaults

[Mike Lococo <mikelococo () gmail com>]

On 10/12/2011 12:55 PM, Joel Esler wrote:
> What we call our "current" snort.conf is the .conf that is shipped in
> the VRT rules download tarball in the etc/ directory.

I'll keep that in mind.  I'm using the .conf for snort 2.9.1.1 which as 
you note is quite new.

> All Snort configurations require tuning for their environment
> (memory, rules enabled, locations, var's, etc), however the detection
> options should be enabled in order to provide full coverage and
> utilize the full features of Snort.

To be clear, I'm interested in enabling *additional* options that appear 
to me that they should provide additional evasion protection.  My 
question is whether that will have unintended consequences.  It sounds 
like your response can be paraphrased as:

     "Yes, it's dangerous to enable additional http_inspect
     normalization like normalize_cookies, normalize_headers,
     and normalize_utf because we count on every installation
     using the config that we ship except for variations in
     memcaps, rules-enabled, and vars".

Thanks,
Mike Lococo

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!