Snort mailing list archives
Re: Snort Configuration - Length of the http request method
From: hsasai7 () gmail com
Date: Wed, 14 Nov 2012 06:23:37 +0000
Thanks for advice. I noticed I had older version at /user/local/bin. The latest version that I installed is at /opt/local/bin, which is working fine with the snort.conf. Joel Esler <jesler () sourcefire com>:
What version of Snort is this?
Snort -V
On Nov 7, 2012, at 10:24 PM, Hiroyuki Sasai hsasai7 () gmail com> wrote:
> Here's my http_inspect in snort.conf (which I got from
> http://www.snort.org/vrt/snort-conf-configurations/)
>
> =================================================
> # HTTP normalization and anomaly detection. For more information, see
> README.http_inspect
> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
> compress_depth 65535 decompress_depth 65535
> preprocessor http_inspect_server: server default \
> http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK
> NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE
> TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH
> BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST
> SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
> chunk_length 500000 \
> server_flow_depth 0 \
> client_flow_depth 0 \
> post_depth 65495 \
> oversize_dir_length 500 \
> max_header_length 750 \
> max_headers 100 \
> max_spaces 200 \
> small_chunk_length { 10 5 } \
> ports { 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381
> 2809 3128 3702 4343 4848 5250 7001 7145 7510 7777 7779 8000 8008 8014
> 8028 8080 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800 8888 8899
> 9000 9060 9080 9090 9091 9443 9999 11371 50002 55555 } \
> non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
> enable_cookie \
> extended_response_inspection \
> inspect_gzip \
> normalize_utf \
> unlimited_decompress \
> normalize_javascript \
> apache_whitespace no \
> ascii no \
> bare_byte no \
> directory no \
> double_decode no \
> iis_backslash no \
> iis_delimiter no \
> iis_unicode no \
> multi_slash no \
> utf_8 no \
> u_encode yes \
> webroot no
> =================================================
>
> There seemed some http methods that is longer than 7 characters.
> So I modified the http_methods part as below.
>
> =========snip==========
> preprocessor http_inspect_server: server default \
> http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK
> NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE
> TRACK CONNECT SOURCE } \
> =========snip==========
>
> And I rerun it, then I got another error.
>
> =========snip==========
> ERROR: /etc/snort/snort.conf(328) => Invalid keyword 'max_spaces' for
> server configuration.
> Fatal Error, Quitting..
> =========snip==========
>
> max_spaces in http_inspect is set to "200".
> Even if I commented out the max_spaces, I got the same error for other
> keyword (small_chunk_length).
>
> Shoudn't I use the snort.conf from
> http://www.snort.org/vrt/snort-conf-configurations/)?
> Some keywords in preprocessors in the snort.conf seems to be invalid or unknown.
>
> Thanks,
>
> H
>
>
> 2012/11/6 Bhagya Bantwal bbantwal () sourcefire com>:
>> Can you please send me your http inspect configuration?
>>
>> This is an error that happens when http_methods has a method longer than 7
>> chars.
>>
>> -B
>>
>> On Fri, Oct 26, 2012 at 5:14 AM, hsasai7 () gmail com> wrote:
>>>
>>> Hi,
>>>
>>> I've just install snort Version 2.9.3.1 on Mac Book Pro.
>>> When I run it, I received the following error message.
>>>
>>> $sudo /usr/local/bin/snort -d -e -i en1 -c /etc/snort/snort.conf
>>>
>>>
>>> ERROR: /etc/snort/snort.conf(328) => Length of the http request method
>>> shoould not exceed the max request method length of '7'.
>>> Fatal Error, Quitting..
>>>
>>>
>>> Here's the line 328 of my "snort.conf".
>>>
>>> webroot no
>>>
>>>
>>> What do I need to adjust in snort.conf to set the max request method
>>> length less than 7?
>>>
>>> ------------------------------------------------------------------------------
>>> WINDOWS 8 is here.
>>> Millions of people. Your app in 30 days.
>>> Visit The Windows 8 Center at Sourceforge for all your go to resources.
>>> http://windows8center.sourceforge.net/
>>> join-generation-app-and-make-money-coding-fast/
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users () lists sourceforge net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest Snort
>>> news!
>>
>>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_nov
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort Configuration - Length of the http request method hsasai7 (Oct 27)
- Re: Snort Configuration - Length of the http request method Bhagya Bantwal (Nov 06)
- Re: Snort Configuration - Length of the http request method Hiroyuki Sasai (Nov 08)
- Re: Snort Configuration - Length of the http request method Joel Esler (Nov 08)
- Re: Snort Configuration - Length of the http request method hsasai7 (Nov 16)
- Re: Snort Configuration - Length of the http request method Joel Esler (Nov 14)
- Re: Snort Configuration - Length of the http request method Hiroyuki Sasai (Nov 08)
- Re: Snort Configuration - Length of the http request method Bhagya Bantwal (Nov 06)