Snort mailing list archives
Re: Is it dangerous to tweak http_inspect defaults
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 12 Oct 2011 12:55:58 -0400
What we call our "current" snort.conf is the .conf that is shipped in the VRT rules download tarball in the etc/ directory. It contains our current configuration that we test and write our rules against and also what we expect environments, for the most part, be configured like. This Snort.conf is synced before "release" of a Snort version (so the version that is shipped in Snort 2.9.1.1's etc/ directory is the configuration that was current at that time. When the configuration changes I post them on http://blog.snort.org. All Snort configurations require tuning for their environment (memory, rules enabled, locations, var's, etc), however the detection options should be enabled in order to provide full coverage and utilize the full features of Snort. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Oct 12, 2011, at 12:29 PM, Mike Lococo wrote:
Hi Folks, I'm doing a periodic review of my snort.conf config against what is included in the current tarball and noticing that there are a number of seemingly useful http_inspect options that aren't enabled by default. I'm looking at normalize_cookies, normalize_headers, and normalize_utf in particular. I understand that turning these on might have some performance impact, and am comfortable measuring that. What I'm less clear on is whether enabling these options will adversely effect any rule-logic. In particular, I'm thinking of effects like those described in [1] where data is removed from a buffer where it used to be present (like http_header) and put *instead* into a new buffer (like http_cookie) that may or may not be checked. Another potential negative effect I can imagine is where rules are actually coded to look for content that gets normalized out (for example, look for a URI with many consecutive slashes in it). Is the VRT config a best practice that one deviates from only with good reason and much testing, or does it represent a minimum bar where it's likely to be worth enabling additional normalization if you have the CPU cycles for it? [1] http://trojanedbinaries.com/blog/?p=212
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Is it dangerous to tweak http_inspect defaults Mike Lococo (Oct 12)
- Re: Is it dangerous to tweak http_inspect defaults Joel Esler (Oct 12)
- Re: Is it dangerous to tweak http_inspect defaults Mike Lococo (Oct 12)
- Re: Is it dangerous to tweak http_inspect defaults Joel Esler (Oct 12)
- Re: Is it dangerous to tweak http_inspect defaults Mike Lococo (Oct 12)
- Re: Is it dangerous to tweak http_inspect defaults Joel Esler (Oct 12)