[Emerging-Sigs] Recommended http_inspect config
jesler at sourcefire.com
Wed Oct 12 12:52:19 EDT 2011
Just from our point of view.
What we call our "current" snort.conf is the .conf that is shipped in the VRT rules download tarball in the etc/ directory. It contains our current configuration that we test against and also what we expect environments, for the most part, be configured like.
When that changes I post the changes on http://blog.snort.org.
Senior Research Engineer, VRT
OpenSource Community Manager
On Oct 12, 2011, at 12:31 PM, Mike Lococo wrote:
> Hi Folks,
> I'm wondering if there are any recommendations regarding the
> http_inspect configuration in order to ensure compatibility with the ET
> ruleset. I'm doing a periodic review of my snort-config and wondering
> if I should turn on the extra normalization provided by http_inspect
> (like normalize_cookies, normalize_headers, and normalize_utf), but I've
> read eoin's post at http://trojanedbinaries.com/blog/?p=212 and am
> wondering if any deviation from the VRT defaults is a bad idea because
> it might move data from one buffer to another, or normalize out
> anomalies that are being searched for in sigs. Is that an intelligent
> fear, or should I consider turning on extra normalization provided I
> have the capacity to do so without dropping packets?
> Mike Lococo
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
More information about the Emerging-sigs