Re: Ok, Ok - I know - http_inspect

[Jeff Kell <jeff-kell () utc edu>]

Snortty wrote:

> All, 
>
> I have set up to enable inspect_uri_only:
>
> preprocessor http_inspect_server: server default \
>     profile all ports { 80 8080 8180 }
> oversize_dir_length 500 inspect_uri_only
>
> and when I run snort, it did show: 
>
> Only inspect URI: YES
>
> but I still have hundreds of http_inspect alerts in
> short period of time, like the kinds:
>
> [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI
> DIRECTORY [**]
> [**] [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER
> [**]
> [**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING
> [**]
> [**] [119:4:1] (http_inspect) BARE BYTE UNICODE
> ENCODING [**]
> [**] [119:12:1] (http_inspect) APACHE WHITESPACE (TAB)
> [**]
> [**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK
> [**]

You almost have to explicitly spell out each server and disable the 
false positive checks in the inspect parameters.  That takes care of 
most of the http_inspect false hits, but then there are the regular 
snort signatures that can be fired off.

The only option I've found to avoid this is to use threshold.conf to 
disable the "false positive" alerts generated by your secured and 
patched (known to be invulnerable) servers.  For example, you can 
eliminate most of the IIS-type attacks if you're running Apache.

Jeff



-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users