Snort mailing list archives

Re: Snort Configuration - Length of the http request method

From: hsasai7 () gmail com
Date: Wed, 14 Nov 2012 06:23:37 +0000

Thanks for advice.

I noticed I had older version at /user/local/bin.
The latest version that I installed is at /opt/local/bin,
which is working fine with the snort.conf.


Joel Esler <jesler () sourcefire com>:

What version of Snort is this?

Snort -V

On Nov 7, 2012, at 10:24 PM, Hiroyuki Sasai hsasai7 () gmail com> wrote:

> Here's my http_inspect in snort.conf (which I got from

> http://www.snort.org/vrt/snort-conf-configurations/)

> =================================================

> # HTTP normalization and anomaly detection. For more information, see

> README.http_inspect

> preprocessor http_inspect: global iis_unicode_map unicode.map 1252

> compress_depth 65535 decompress_depth 65535

> preprocessor http_inspect_server: server default \

> http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK

> NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE

> TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH

> BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST

> SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \

> chunk_length 500000 \

> server_flow_depth 0 \

> client_flow_depth 0 \

> post_depth 65495 \

> oversize_dir_length 500 \

> max_header_length 750 \

> max_headers 100 \

> max_spaces 200 \

> small_chunk_length { 10 5 } \

> ports { 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381

> 2809 3128 3702 4343 4848 5250 7001 7145 7510 7777 7779 8000 8008 8014

> 8028 8080 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800 8888 8899

> 9000 9060 9080 9090 9091 9443 9999 11371 50002 55555 } \

> non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \

> enable_cookie \

> extended_response_inspection \

> inspect_gzip \

> normalize_utf \

> unlimited_decompress \

> normalize_javascript \

> apache_whitespace no \

> ascii no \

> bare_byte no \

> directory no \

> double_decode no \

> iis_backslash no \

> iis_delimiter no \

> iis_unicode no \

> multi_slash no \

> utf_8 no \

> u_encode yes \

> webroot no

> =================================================

> There seemed some http methods that is longer than 7 characters.

> So I modified the http_methods part as below.

> =========snip==========

> preprocessor http_inspect_server: server default \

> http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK

> NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE

> TRACK CONNECT SOURCE } \

> =========snip==========

> And I rerun it, then I got another error.

> =========snip==========

> ERROR: /etc/snort/snort.conf(328) => Invalid keyword 'max_spaces' for

> server configuration.

> Fatal Error, Quitting..

> =========snip==========

> max_spaces in http_inspect is set to "200".

> Even if I commented out the max_spaces, I got the same error for other

> keyword (small_chunk_length).

> Shoudn't I use the snort.conf from

> http://www.snort.org/vrt/snort-conf-configurations/)?

> Some keywords in preprocessors in the snort.conf seems to be invalid orunknown.

> Thanks,

> H

> 2012/11/6 Bhagya Bantwal bbantwal () sourcefire com>:

>> Can you please send me your http inspect configuration?

>>

>> This is an error that happens when http_methods has a method longerthan 7

>> chars.

>>

>> -B

>>

>> On Fri, Oct 26, 2012 at 5:14 AM, hsasai7 () gmail com> wrote:

>>>

>>> Hi,

>>>

>>> I've just install snort Version 2.9.3.1 on Mac Book Pro.

>>> When I run it, I received the following error message.

>>>

>>> $sudo /usr/local/bin/snort -d -e -i en1 -c /etc/snort/snort.conf

>>>

>>>

>>> ERROR: /etc/snort/snort.conf(328) => Length of the http request method

>>> shoould not exceed the max request method length of '7'.

>>> Fatal Error, Quitting..

>>>

>>>

>>> Here's the line 328 of my "snort.conf".

>>>

>>> webroot no

>>>

>>>

>>> What do I need to adjust in snort.conf to set the max request method

>>> length less than 7?

>>>

>>>------------------------------------------------------------------------------

>>> WINDOWS 8 is here.

>>> Millions of people. Your app in 30 days.

>>> Visit The Windows 8 Center at Sourceforge for all your go toresources.

>>> http://windows8center.sourceforge.net/

>>> join-generation-app-and-make-money-coding-fast/

>>> _______________________________________________

>>> Snort-users mailing list

>>> Snort-users () lists sourceforge net

>>> Go to this URL to change user options or unsubscribe:

>>> https://lists.sourceforge.net/lists/listinfo/snort-users

>>> Snort-users list archive:

>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

>>>

>>> Please visit http://blog.snort.org to stay current on all the latestSnort

>>> news!

>>

>>

>------------------------------------------------------------------------------

> Everyone hates slow websites. So do we.

> Make your web apps faster with AppDynamics

> Download AppDynamics Lite for free today:

> http://p.sf.net/sfu/appdyn_d2d_nov

> _______________________________________________

> Snort-users mailing list

> Snort-users () lists sourceforge net

> Go to this URL to change user options or unsubscribe:

> https://lists.sourceforge.net/lists/listinfo/snort-users

> Snort-users list archive:

> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

> Please visit http://blog.snort.org to stay current on all the latestSnort news!

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort Configuration - Length of the http request method hsasai7 (Oct 27)
- Re: Snort Configuration - Length of the http request method Bhagya Bantwal (Nov 06)
  - Re: Snort Configuration - Length of the http request method Hiroyuki Sasai (Nov 08)
    - Re: Snort Configuration - Length of the http request method Joel Esler (Nov 08)
    - Re: Snort Configuration - Length of the http request method hsasai7 (Nov 16)
    - Re: Snort Configuration - Length of the http request method Joel Esler (Nov 14)