Snort mailing list archives
RE: Ok, Ok - I know - http_inspect
From: "Jeff Dell" <jdell () activeworx com>
Date: Wed, 16 Jun 2004 14:54:14 -0400
You are correct. I misread your first email when you said that /8 didn't work, I assumed you meant it didn't limit the events. If you look at the docs at: http://www.snort.org/docs/snort_manual/node17.html#SECTION003810000000000000 000 You will see all of the options for http_inspect, maybe one of these will help limit the alerts you are getting. Jeff _____ From: Rowland, Krisa W ERDC-ITL-MS Contractor [mailto:Krisa.W.Rowland () erdc usace army mil] Sent: Wednesday, June 16, 2004 2:44 PM To: 'Jeff Dell'; Rowland, Krisa W ERDC-ITL-MS Contractor; Snort-users () lists sourceforge net Subject: RE: [Snort-users] Ok, Ok - I know - http_inspect I get this error: ERROR: /export/home/krowland/snort-2.1.3/etc/snort.conf(288) => Invalid IP to 'server' token. I guess you can't do a subnet - on a single server... _____ From: Jeff Dell [mailto:jdell () activeworx com] Sent: Wednesday, June 16, 2004 11:15 AM To: 'Rowland, Krisa W ERDC-ITL-MS Contractor'; Snort-users () lists sourceforge net Subject: RE: [Snort-users] Ok, Ok - I know - http_inspect It sounds like you want to only limit it to a single class C? and not a Class A? If this is the case you would want to change the subnet mask to /24 Cheers, Jeff _____ From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rowland, Krisa W ERDC-ITL-MS Contractor Sent: Wednesday, June 16, 2004 11:54 AM To: 'Snort-users () lists sourceforge net' Subject: [Snort-users] Ok, Ok - I know - http_inspect I know I'm going to get slaughtered for even bringing up the subject of http_inspect. I've read through the old posts, and also read through the manual. I'm hoping that someone can offer clarification or guidance on this, though. I do not want to disable this option - but at the moment I'm going to have to - just pouring out too many alerts. I tried to limit these alerts to only my webfarm subnet by doing this: preprocessor http_inspect_server: server x.x.x.0/8 \ profile all ports { 80 8080 8180 } oversize_dir_length 500 But it didn't like that. I'd just like to restrict these alerts to one subnet - how do I do that? Shouldn't I use the all profile if I'm pretty sure that I have apache and IIS servers? Krisa Rowland ERDC Information Assurance Team (SAIC Contractor) 3909 Halls Ferry Rd., Bldg. 8000 Vicksburg, MS 39180 601-634-2493 krisa.w.rowland () erdc usace army mil
Current thread:
- Ok, Ok - I know - http_inspect Rowland, Krisa W ERDC-ITL-MS Contractor (Jun 16)
- RE: Ok, Ok - I know - http_inspect Jeff Dell (Jun 16)
- <Possible follow-ups>
- RE: Ok, Ok - I know - http_inspect Rowland, Krisa W ERDC-ITL-MS Contractor (Jun 16)
- RE: Ok, Ok - I know - http_inspect Jeff Dell (Jun 16)
- RE: Ok, Ok - I know - http_inspect Koski, Brian (Jun 16)
- RE: Ok, Ok - I know - http_inspect SN ORT (Jun 17)
- RE: Ok, Ok - I know - http_inspect Snortty (Jun 17)
- Re: Ok, Ok - I know - http_inspect sekure (Jun 17)
- Re: Ok, Ok - I know - http_inspect Snortty (Jun 18)
- Re: Ok, Ok - I know - http_inspect sekure (Jun 18)
- Re: Ok, Ok - I know - http_inspect Snortty (Jun 18)
- Re: Ok, Ok - I know - http_inspect SN ORT (Jun 18)
- Re: Ok, Ok - I know - http_inspect Chris Keladis (Jun 18)
- RE: Ok, Ok - I know - http_inspect Snortty (Jun 17)
- Re: Ok, Ok - I know - http_inspect Jeff Kell (Jun 18)