[Emerging-Sigs] Recommended http_inspect config

Mike Lococo mikelococo at gmail.com
Wed Oct 12 12:31:38 EDT 2011


Hi Folks,

I'm wondering if there are any recommendations regarding the 
http_inspect configuration in order to ensure compatibility with the ET 
ruleset.  I'm doing a periodic review of my snort-config and wondering 
if I should turn on the extra normalization provided by http_inspect 
(like normalize_cookies, normalize_headers, and normalize_utf), but I've 
read eoin's post at http://trojanedbinaries.com/blog/?p=212 and am 
wondering if any deviation from the VRT defaults is a bad idea because 
it might move data from one buffer to another, or normalize out 
anomalies that are being searched for in sigs.  Is that an intelligent 
fear, or should I consider turning on extra normalization provided I 
have the capacity to do so without dropping packets?

Cheers,
Mike Lococo


More information about the Emerging-sigs mailing list