Snort mailing list archives
Is it dangerous to tweak http_inspect defaults
From: Mike Lococo <mikelococo () gmail com>
Date: Wed, 12 Oct 2011 12:29:08 -0400
Hi Folks, I'm doing a periodic review of my snort.conf config against what is included in the current tarball and noticing that there are a number of seemingly useful http_inspect options that aren't enabled by default. I'm looking at normalize_cookies, normalize_headers, and normalize_utf in particular. I understand that turning these on might have some performance impact, and am comfortable measuring that. What I'm less clear on is whether enabling these options will adversely effect any rule-logic. In particular, I'm thinking of effects like those described in [1] where data is removed from a buffer where it used to be present (like http_header) and put *instead* into a new buffer (like http_cookie) that may or may not be checked. Another potential negative effect I can imagine is where rules are actually coded to look for content that gets normalized out (for example, look for a URI with many consecutive slashes in it). Is the VRT config a best practice that one deviates from only with good reason and much testing, or does it represent a minimum bar where it's likely to be worth enabling additional normalization if you have the CPU cycles for it? [1] http://trojanedbinaries.com/blog/?p=212 Best Regards, Mike Lococo ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Is it dangerous to tweak http_inspect defaults Mike Lococo (Oct 12)
- Re: Is it dangerous to tweak http_inspect defaults Joel Esler (Oct 12)
- Re: Is it dangerous to tweak http_inspect defaults Mike Lococo (Oct 12)
- Re: Is it dangerous to tweak http_inspect defaults Joel Esler (Oct 12)
- Re: Is it dangerous to tweak http_inspect defaults Mike Lococo (Oct 12)
- Re: Is it dangerous to tweak http_inspect defaults Joel Esler (Oct 12)