Re: http_inspect config options?

[Jeremy Hewlett <jh () sourcefire com>]

Hi Rich, *wave*

On Sun, Feb 27, Rich Adamson wrote:
> Okay, tried that, and regardless of how I format the line, snort responds
> with:
> ERROR: E:\snort-v2-3\etc\snort.conf(306) => Invalid token while configuring the
> profile token.  The only allowed tokens when configuring profiles are: 'ports',
> 'iis_unicode_map', 'allow_proxy_use', 'flow_depth', 'no_alerts', 'oversize_dir_l
> ength', and 'inspect_uri_only'.
> Fatal Error, Quitting..

Both Global and Profile configuration directives have a limited set of
overrides. If you want to change a profile (read: IIS, Apache), you
should replace your IIS/Apache/All profile with a Server configuration
and include the options you want:

preprocessor http_inspect_server: server 1.1.1.1 \
    ports { 80 3128 8080 } \
    flow_depth 0 \
    ascii no \
    double_decode no \
    non_rfc_char { 0x00 } \
    chunk_length 500000 

Remember when specifying "yes" or "no" that all you're modifying 
is whether or not to *alert* on that type of encoding. Including it in
the configuration will automatically enable that type of scrubbing.




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users