Snort mailing list archives

RE: Snort 2.1.0 - Shutting up http_inspect on non web servers

From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Wed, 14 Jan 2004 14:25:10 -0600

-----Original Message-----
From: snort-users-admin () lists sourceforge net 
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of 
James Nonya
Sent: Wednesday, January 14, 2004 1:19 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort 2.1.0 - Shutting up 
http_inspect on non web servers

Paul,

Have you tried setting it to monitor port 0 or
something like that?  Maybe telling http_instpect to
monitor a little used port would work..think I'll try
that now.

I haven't, but ISTM that would defeat the purpose of the preprocessor,
wouldn't it?

I just tried enabling *only* the global preprocessor.  That resulted in
the following alerts:
NON-RFC HTTP DELIMITER
APACHE WHITESPACE (TAB)
NON-RFCF DEFINED CHAR
OVERSIZE CHUNK ENCODING
 
Even that is too much for me.  All I want the preprocessor to do is
normalize http traffic before it's compared to the normal web rules.

So then I tried this:

preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
    ports { 80 8080 } \
    no_alerts

And it seems to be working.  At least I'm not getting alerts from the
preprocessor itself, not even non-rfc defined char alerts.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 


-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort 2.1.0 - Shutting up http_inspect on non web servers James Nonya (Jan 13)
- <Possible follow-ups>
- Re: Snort 2.1.0 - Shutting up http_inspect on non web servers James Nonya (Jan 14)
- RE: Snort 2.1.0 - Shutting up http_inspect on non web servers Schmehl, Paul L (Jan 14)
- Re: Snort 2.1.0 - Shutting up http_inspect on non web servers James Nonya (Jan 14)
  - Re: Snort 2.1.0 - Shutting up http_inspect on non web servers Owen McCusker (Jan 14)
- RE: Snort 2.1.0 - Shutting up http_inspect on non web servers Schmehl, Paul L (Jan 14)
- Re: Snort 2.1.0 - Shutting up http_inspect on non web servers James Nonya (Jan 14)