Snort mailing list archives
Lots of http_inspect alerts - configuration hints?
From: "Dahlmann, Stephan" <Stephan.Dahlmann () zapp com>
Date: Wed, 28 Sep 2005 10:26:13 +0200
Hi all, i am running an IDS with two sensors inside in our DMZ. One Sensor is for LAN -> DMZ (Internet), one for DMZ -> LAN. There are 3 squids running in our network (3 locations with one network) and 2 IIS Web Servers. Snort is installed from Debian Sarge package, version 2.3.1. Rules are the standard rules, not all enabled... The thing is: especially the proxies are generating lots of alerts, mostly (http_inspect) BARE BYTE UNICODE ENCODING (http_inspect) OVERSIZE REQUEST-URI DIRECTORY (http_inspect) OVERSIZE CHUNK ENCODING and some more. I figured out that there are several possibilities to configure or disable http_inspect preprocessor, but some just don't work... Here is an extract from my snort.conf.eth1 which is LAN -> DMZ ------ preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500 # IIS webserver inspect rule preprocessor http_inspect_server: server 10.0.0.80 ports { 80 81 } bare_byte no oversize_dir_length 600 # proxy-2 rule preprocessor http_inspect_server: server 10.0.0.90 ports { 8080 } bare_byte no # proxy 3 rule preprocessor http_inspect_server: server 10.0.0.70 ports { 80 8080 } bare_byte no oversize_dir_length 600 # MS ISA server which will replace all three squids preprocessor http_inspect_server: server 10.0.0.100 ports { 8080 } bare_byte no oversize_dir_length 800 ----- As you see i already set the oversize_dir_length to 600! But still getting alerts... I suppose it's hard to say if i misconfigured something cause u don't know my network, but some hints or explanations to the meaning and occasion of the alerts would be great... thanks in advance, stephan
Current thread:
- Lots of http_inspect alerts - configuration hints? Dahlmann, Stephan (Sep 28)
- <Possible follow-ups>
- RE: Lots of http_inspect alerts - configuration hints? Briggs, Bruce (Sep 28)