Snort mailing list archives

(no subject)

From: "Kenneth Trimmmer" <kenneth.trimmer () parkvale com>
Date: Mon, 2 Aug 2004 13:35:49 -0400

I just upgraded to the current version of Snort. Now, I am getting multiple
Http_Inspect Alerts. Most of the payloads look like normal web traffic. My
previous version of snort didn't have the HTTP_Insepct Preprocessor. So, I
am a little confused on the importance of the Http_Inspect and it's
configuration.  Here are my questions. 

1. Why are there so many alerts on normal traffic?

2. Is this preprocessor necessary?

3. Do I have to configure the preprocessor for every web server we run, or
will the default settings be OK. 

4. Is it unwise to turn if off?

 

I have read through the Documentation from SNORT on this preprocessor and
still can't seem to answer my questions.

Current thread:

(no subject) Turnquist,Wayne (Jul 09)
- <Possible follow-ups>
- RE: (no subject) Harper, Patrick (Jul 09)
- (no subject) Kenneth Trimmmer (Aug 02)
- (no subject) May Yu (Sep 13)
- RE: (no subject) Esler, Joel - Contractor (Sep 13)
- (no subject) Peter Osterberg (Sep 29)
  - Re: (no subject) Martin Roesch (Sep 29)
    - Re: (no subject) Peter Osterberg (Sep 29)