Snort mailing list archives
RE: Problems with snort-2.1.0
From: "Daniel J. Roelker" <droelker () sourcefire com>
Date: 14 Jan 2004 14:04:31 -0500
Hi Paul, Comments inline again, other users should be interested in this too.
detect_anomalous_servers: In the documentation it says, "This global configuration option enables generic HTTP server traffic inspection on non-HTTP configured ports, and alerts if HTTP traffic is seen.". The docs say nothing about HOME_NET or any other variables in regard to http_inspect, so if you could point us to where you got that fact in the docs we'll be happy to fix it so it's less confusing.Obviously it was an assumption. I *thought* that http_inspect would only normalize and report on traffic within the context of existing, enabled rules, which would mean that if HTTP_SERVERS was defined, *that* is what it would report on. (Isn't that what http_decode did?)
http_decode alerts didn't take into account the HTTP_SERVERS variable either. On a side note, there's a big difference between the old http_decode and http_inspect. If you want to find out about more about the differences you can check out the paper "HTTP IDS Evasions Revisited" at www.idsresearch.org. It explains the different types of evasions that http_inspect looks for and normalizes. On an even greater side note, I wanted to thank the snort users for giving us feedback on the http_inspect profiles and configurations. As snort gets more advanced, the different configurations for application decoders will as well. Obviously, we try our best to make configuration as straight forward as possible, so please bear with us. We are taking a lot of the feedback we've gotten about http_inspect alerting and this will be updated in the Snort 2.1.1 release. So if any user's are so inclined to test the release candidate for 2.1.1 out, please download the release candidate from the CVS HEAD branch. The commands are: cvs -d:pserver:anonymous () cvs sourceforge net:/cvsroot/snort login and then, cvs -z3 -d:pserver:anonymous () cvs sourceforge net:/cvsroot/snort co snort run ./autojunk.sh and then configure and build. One of the things that 2.1.1 updates is that non_rfc_char is taken out of all the pre-defined profiles. Also, no_alerts works for all of the http_inspect alerts. Thanks to the users who pointed this out. Any other suggestions that users want in 2.1.1 for http_inspect or otherwise, please let us know.
non_rfc_chars, other flags, etc: The non_rfc_char alerts have been an issue and we're taking that out of the default server policies, i.e. apache, iis, all. Which brings us to the issue that you didn't enable many of the flags that you are seeing alerts for. This is because you have enabled a profile, in this case 'all' to be specific. If you look at the documentation it tells you what flags are pre-set for this particular profile. So that's why you're seeing alerts for things that you didn't specifically set.I missed that, and I'm still not seeing it in README.http_inspect. Is it in there? Or in the snort manual? I don't see anything that discusses what the default, pre-set flags are for all, apache or iis. I do have a question though. Can you disable a default flag by using "flag_name no"?
It's at the end of README.http_inspect and starts like this : -- Profile Breakout -- There are three profiles that users can select. Only the configuration that are listed under the profiles are turned on. If there is no mention of alert on or off, then that means there is no alert associated with the configuration. As to your other question, you can't turn off individual flags in a profile. But you are definitely encouraged to create your own profiles and several users have done this on the mailing list. I'm hoping that some users may want to create profiles for more web servers than the three provided that we've provided. I'd be more than happy to add any submitted server profiles that users make into an http_inspect configuration. So if anyone feels like helping . . . :) -- Daniel Roelker Software Developer Sourcefire, Inc. ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problems with snort-2.1.0 Schmehl, Paul L (Jan 12)
- <Possible follow-ups>
- RE: Problems with snort-2.1.0 Daniel J. Roelker (Jan 14)
- RE: Problems with snort-2.1.0 Andreas Östling (Jan 14)
- RE: Problems with snort-2.1.0 Daniel J. Roelker (Jan 15)
- Latest Snort 2.1.x on Solaris 8, Can anyone confirm please? Snortty (Mar 19)
- RE: Problems with snort-2.1.0 Andreas Östling (Jan 14)
- RE: Problems with snort-2.1.0 Schmehl, Paul L (Jan 14)
- RE: Problems with snort-2.1.0 DM (Jan 14)