Re: Having http_inspect problems, can't turn options off]

[Daniel Roelker <droelker () sourcefire com>]

Hi, 

Your two unique http_inspect_server configs are wrong.  You need to add
what ports to inspect on each of those configs.  For example, 

preprocessor http_inspect_server: server xxx.xxx.158.212 \
    ports { 80 } ascii no bare_byte no iis_unicode no double_decode no

Without specifying a list of HTTP ports on a unique server profile,
you'll just end up using the default profile which in your case has the
bare_byte encoding turned on.  So that's why you're seeing the alerts.

Dan

On Mon, 2004-08-09 at 13:40, Jeremy Hewlett wrote:
> ----- Forwarded message from Chris Schock <black () clapthreetimes com> -----
>
> From: "Chris Schock" <black () clapthreetimes com>
> To: snort-users () lists sourceforge net
> Reply-To: black () clapthreetimes com
> Subject: [Snort-users] Having http_inspect problems, can't turn options off
> Return-Path: <snort-users-admin () lists sourceforge net>
> Date: Fri, 6 Aug 2004 10:33:57 -0600 (MDT)
> User-Agent: SquirrelMail/1.4.3a-0.f1.1
> X-Mailer: SquirrelMail/1.4.3a-0.f1.1
>
> I am using Snort 2.2 RC1
>
> Here is my http_inspect config in snort.conf"
>
> ================
> preprocessor http_inspect: global \
>     iis_unicode_map unicode.map 1252 \
>     proxy_alert
>
> preprocessor http_inspect_server: server xxx.xxx.158.212 bare_byte no
> preprocessor http_inspect_server: server xxx.xxx.158.213 no_alerts
>
> preprocessor http_inspect_server: server default \
>     profile all ports { 80 8080 } oversize_dir_length 500
> ================
>
> My problem is that I am still getting lots and lots of "BARE BYTE UNICODE
> ENCODING" alerts for both servers, despite trying to suppress that
> specific alert for one, and turning alerting completely off for the other.
> I tried turning it off globally as well, but whenever I try that snort
> complains that there is a configuration problem.
>
> What am I doing wrong?
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by OSTG. Have you noticed the changes on
> Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
> one more big change to announce. We are now OSTG- Open Source Technology
> Group. Come see the changes on the new OSTG site. www.ostg.com
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> ----- End forwarded message -----
-- 
Daniel Roelker
Software Developer
Sourcefire, Inc.



-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users