Snort mailing list archives
Re: Ok, Ok - I know - http_inspect
From: Jeff Kell <jeff-kell () utc edu>
Date: Fri, 18 Jun 2004 10:09:38 -0400
Snortty wrote:
All,I have set up to enable inspect_uri_only: preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 inspect_uri_onlyand when I run snort, it did show:Only inspect URI: YES but I still have hundreds of http_inspect alerts in short period of time, like the kinds: [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**] [**] [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER [**] [**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**] [**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**] [**] [119:12:1] (http_inspect) APACHE WHITESPACE (TAB) [**] [**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [**]
You almost have to explicitly spell out each server and disable the false positive checks in the inspect parameters. That takes care of most of the http_inspect false hits, but then there are the regular snort signatures that can be fired off.
The only option I've found to avoid this is to use threshold.conf to disable the "false positive" alerts generated by your secured and patched (known to be invulnerable) servers. For example, you can eliminate most of the IIS-type attacks if you're running Apache.
Jeff ------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Ok, Ok - I know - http_inspect, (continued)
- RE: Ok, Ok - I know - http_inspect Jeff Dell (Jun 16)
- RE: Ok, Ok - I know - http_inspect Koski, Brian (Jun 16)
- RE: Ok, Ok - I know - http_inspect SN ORT (Jun 17)
- RE: Ok, Ok - I know - http_inspect Snortty (Jun 17)
- Re: Ok, Ok - I know - http_inspect sekure (Jun 17)
- Re: Ok, Ok - I know - http_inspect Snortty (Jun 18)
- Re: Ok, Ok - I know - http_inspect sekure (Jun 18)
- Re: Ok, Ok - I know - http_inspect Snortty (Jun 18)
- Re: Ok, Ok - I know - http_inspect SN ORT (Jun 18)
- Re: Ok, Ok - I know - http_inspect Chris Keladis (Jun 18)
- RE: Ok, Ok - I know - http_inspect Snortty (Jun 17)
- Re: Ok, Ok - I know - http_inspect Jeff Kell (Jun 18)
- Re: Ok, Ok - I know - http_inspect sekure (Jun 17)
- Re: Ok, Ok - I know - http_inspect Snortty (Jun 17)