Snort mailing list archives
RE: Snort 2.1.0 - Shutting up http_inspect on non web servers
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Wed, 14 Jan 2004 14:25:10 -0600
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of James Nonya Sent: Wednesday, January 14, 2004 1:19 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort 2.1.0 - Shutting up http_inspect on non web servers Paul, Have you tried setting it to monitor port 0 or something like that? Maybe telling http_instpect to monitor a little used port would work..think I'll try that now.
I haven't, but ISTM that would defeat the purpose of the preprocessor, wouldn't it? I just tried enabling *only* the global preprocessor. That resulted in the following alerts: NON-RFC HTTP DELIMITER APACHE WHITESPACE (TAB) NON-RFCF DEFINED CHAR OVERSIZE CHUNK ENCODING Even that is too much for me. All I want the preprocessor to do is normalize http traffic before it's compared to the normal web rules. So then I tried this: preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ ports { 80 8080 } \ no_alerts And it seems to be working. At least I'm not getting alerts from the preprocessor itself, not even non-rfc defined char alerts. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.1.0 - Shutting up http_inspect on non web servers James Nonya (Jan 13)
- <Possible follow-ups>
- Re: Snort 2.1.0 - Shutting up http_inspect on non web servers James Nonya (Jan 14)
- RE: Snort 2.1.0 - Shutting up http_inspect on non web servers Schmehl, Paul L (Jan 14)
- Re: Snort 2.1.0 - Shutting up http_inspect on non web servers James Nonya (Jan 14)
- Re: Snort 2.1.0 - Shutting up http_inspect on non web servers Owen McCusker (Jan 14)
- RE: Snort 2.1.0 - Shutting up http_inspect on non web servers Schmehl, Paul L (Jan 14)
- Re: Snort 2.1.0 - Shutting up http_inspect on non web servers James Nonya (Jan 14)