Re: Snort 2.1.0 - Shutting up http_inspect on non web servers

[James Nonya <slave_tothe_box () yahoo com>]

On Wed, 14 Jan 2004 14:25:10 -0600
"Schmehl, Paul L" <pauls () utdallas edu> wrote:

> > -----Original Message-----
> > From: snort-users-admin () lists sourceforge net 
> > [mailto:snort-users-admin () lists sourceforge net]
On Behalf Of 
> > James Nonya
> > Sent: Wednesday, January 14, 2004 1:19 PM
> > To: snort-users () lists sourceforge net
> > Subject: Re: [Snort-users] Snort 2.1.0 - Shutting
up 
> > http_inspect on non web servers
> >
> > Paul,
> >
> > Have you tried setting it to monitor port 0 or
> > something like that?  Maybe telling http_instpect
to
> > monitor a little used port would work..think I'll
try
> > that now.
> I haven't, but ISTM that would defeat the purpose of
the preprocessor,
> wouldn't it?
>
> I just tried enabling *only* the global
preprocessor.  That resulted in
> the following alerts:
> NON-RFC HTTP DELIMITER
> APACHE WHITESPACE (TAB)
> NON-RFCF DEFINED CHAR
> OVERSIZE CHUNK ENCODING
>  
> Even that is too much for me.  All I want the
preprocessor to do is
> normalize http traffic before it's compared to the
normal web rules.
> So then I tried this:
>
> preprocessor http_inspect: global \
>     iis_unicode_map unicode.map 1252
>
> preprocessor http_inspect_server: server default \
>     ports { 80 8080 } \
>     no_alerts
>
> And it seems to be working.  At least I'm not
getting alerts from the
> preprocessor itself, not even non-rfc defined char
alerts.
> Paul Schmehl (pauls () utdallas edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/ 

Paul,

As I understand it:

 preprocessor http_inspect: global \
     iis_unicode_map unicode.map 1252
 
 preprocessor http_inspect_server: server default \
     ports { 0 } \
     no_alerts

would affect how snort handles unspecified http
traffic.  Adding a:

preprocessor http_inspect_server: server ipaddress \
     ports { 80 8080 } \
     profile iis

would still monitor the traffic for that server ip
yes?  I think I should have specified that..hehe.  My
goal was to stop monitoring client to external web
traffic, but monitor external traffic to my web
servers.  Looks like your method should work
fine...maybe changing to a little used port would
reduce load...not sure though.  Thanks!

James


__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus


-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users