[Emerging-Sigs] Recommended http_inspect config

Joel Esler jesler at sourcefire.com
Wed Oct 12 12:52:19 EDT 2011


Just from our point of view.

What we call our "current" snort.conf is the .conf that is shipped in the VRT rules download tarball in the etc/ directory.  It contains our current configuration that we test against and also what we expect environments, for the most part, be configured like.

When that changes I post the changes on http://blog.snort.org.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Oct 12, 2011, at 12:31 PM, Mike Lococo wrote:

> Hi Folks,
> 
> I'm wondering if there are any recommendations regarding the 
> http_inspect configuration in order to ensure compatibility with the ET 
> ruleset.  I'm doing a periodic review of my snort-config and wondering 
> if I should turn on the extra normalization provided by http_inspect 
> (like normalize_cookies, normalize_headers, and normalize_utf), but I've 
> read eoin's post at http://trojanedbinaries.com/blog/?p=212 and am 
> wondering if any deviation from the VRT defaults is a bad idea because 
> it might move data from one buffer to another, or normalize out 
> anomalies that are being searched for in sigs.  Is that an intelligent 
> fear, or should I consider turning on extra normalization provided I 
> have the capacity to do so without dropping packets?
> 
> Cheers,
> Mike Lococo
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!



More information about the Emerging-sigs mailing list