Is it possible to rule out in alert all HTTPS traffic or rule out all the HTTPS trafic from the alerts on snort ?
I'm confused - please tell us what problem you are trying to solve.
1 Like
ok the situation is i have a IDS ( SourceFire ) is snort based and i have a completly normal snort rule, that looks for a escape character on normal HTTP request and he assumes that the type of request on some of the strings i have on my network are a exploit but in fact is not is just a HTTPS that escape the ASCII (a-f 0-9) in this case the rule looks for %1u content and in fact that character "u" exists in some of the requests in https for security reasons. I would like to say Snort if u see any HTTPS request dont use this rule or edit that rule and put only HTTP not on HTTPS transactions.
Disable the original rule, copy it to rules.local and edit it so it doesn't apply to HTTPS?