Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Ok, Ok - I know - http_inspect

From: Snortty <cwcwcwg () yahoo com>
Date: Fri, 18 Jun 2004 07:55:12 -0700 (PDT)

I put no_alerts to stop all gen_id 119 alerts for now
- snort runs and shows it in effect, since most if not
ALL of these alerts are from internal web servers (we
have too many), which are under normal usage. I guess
there are bigger fish in the pond. 

BTW, I did use threshold.conf to suppress gen_id 119
alerts, it won't stop them. 

Thank you so much again!



--- sekure <sekure () gmail com> wrote:

What are you trying to do?  Those alerts look
legitimate, as in, you
configure http_inspect_server to only notify you of
attacks it spots
in URI content, and according to snort documentation
"When enabled,
only the URI portion of HTTP requests will be
inspected for attacks.
As this field usually contains 90-95% of the web
attacks, you'll catch
most of the attacks."

So you are still getting the alerts.  I couldn't
find an acceptible
configuration of http_inspect_server which didn't
generate a ton of
false positives, and i tried EVERYTHING.  I still
wanted to be able to
use the uricontent keyword, so i needed
http_inspect, so i defined
http_inspect_server as:

preprocessor http_inspect_server: server default \
    profile apache \
    ports { 80 8080 } \
    no_alerts

The no_alerts stops all of the gen_id 119 alerts
from showing up.  

On Fri, 18 Jun 2004 06:04:34 -0700 (PDT), Snortty
<cwcwcwg () yahoo com> wrote:


All,

I have set up to enable inspect_uri_only:

preprocessor http_inspect_server: server default \
   profile all ports { 80 8080 8180 }
oversize_dir_length 500 inspect_uri_only

and when I run snort, it did show:

Only inspect URI: YES

but I still have hundreds of http_inspect alerts

in

short period of time, like the kinds:

[**] [119:15:1] (http_inspect) OVERSIZE

REQUEST-URI

DIRECTORY [**]
[**] [119:13:1] (http_inspect) NON-RFC HTTP

DELIMITER

[**]
[**] [119:16:1] (http_inspect) OVERSIZE CHUNK

ENCODING

[**]
[**] [119:4:1] (http_inspect) BARE BYTE UNICODE
ENCODING [**]
[**] [119:12:1] (http_inspect) APACHE WHITESPACE

(TAB)

[**]
[**] [119:2:1] (http_inspect) DOUBLE DECODING

ATTACK

[**]

Can someone shed some lights on it please?

Thanks
Sw.

---snipped---




-------------------------------------------------------

This SF.Net email is sponsored by The 2004
JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's
Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center
in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf
Priority Code NWMGYKND
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:


https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:


http://www.geocrawler.com/redir-sf.php3?list=snort-users






                
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail


-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: