Snort mailing list archives
Re: (http_inspect) UNKNOWN METHOD error on squid
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Wed, 4 Mar 2015 11:21:35 +0000
Hello, Can you provide a pcap of the traffic that is causing the alerts? What this alert is telling you is that one of the http_methods used in the packet is either not in your preprocessor config or malformed/invalid. Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: Terry John [mailto:Terry.John () completeautomotivesolutions co uk] Sent: Wednesday, March 04, 2015 5:52 AM To: snort-users Subject: [Snort-users] (http_inspect) UNKNOWN METHOD error on squid I am trying to work out how to stop of thousands of false positives caused by access to squid proxy on port 3128. Here is a typical error. [119:31:1] (http_inspect) UNKNOWN METHOD [**] [Classification: Unknown Traffic] [Priority: 3] <date>-<time> <src_ip>:35360 -> <squid_server_ip>:3128 TCP TTL:128 TOS:0x0 ID:87051 IpLen:20 DgmLen:775 DF ***A**** Seq: 0x126F0768 Ack: 0x859E62D4 Win: 0x4980 TcpLen: 32 Here is what I think is the relevant section of the pre-processor declaration preprocessor http_inspect_server: server default \ http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \ allow_proxy_use \ ports { 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000 7001 7071 7144 7145 7510 7770 7777 7779 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 9080 9090 9091 9111 9443 9999 10000 11371 12601 15489 29991 33300 34412 34443 34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 } \ I have a local rule to reduce the number of errors but I would rather not have to do that # This is to reduce the number of 'unknown method' http alerts event_filter gen_id 119, sig_id 31, type limit, track by_src, count 1, seconds 10 I feel that squid proxy is so common that there should be a standard setting for this but at the moment I just can't find it. If I delete port 3128 from the list of ports then the rule is not applied but I don't think that is what we want. Thanks The Manheim group of companies within the UK comprises: Manheim Europe Limited (registered number: 03183918), Manheim Auctions Limited (registered number: 00448761), Manheim Retail Services Limited (registered number: 02838588), Motors.co.uk Limited (registered number: 05975777), Real Time Communications Limited (registered number: 04277845) and Complete Automotive Solutions Limited (registered number: 05302535). Each of these companies is registered in England and Wales with the registered office address of Central House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim group of companies operates under various brand/trading names including Manheim Inspection Services, Manheim Auctions, Manheim Direct, Manheim De-fleet and Manheim Aftersales Solutions. V:0CF72C13B2AC
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- (http_inspect) UNKNOWN METHOD error on squid Terry John (Mar 04)
- Re: (http_inspect) UNKNOWN METHOD error on squid Al Lewis (allewi) (Mar 04)
- Re: (http_inspect) UNKNOWN METHOD error on squid Terry John (Mar 04)
- Re: (http_inspect) UNKNOWN METHOD error on squid Al Lewis (allewi) (Mar 04)
- Re: (http_inspect) UNKNOWN METHOD error on squid Terry John (Mar 04)
- Re: (http_inspect) UNKNOWN METHOD error on squid James Lay (Mar 04)
- Re: (http_inspect) UNKNOWN METHOD error on squid Terry John (Mar 04)
- Re: (http_inspect) UNKNOWN METHOD error on squid Al Lewis (allewi) (Mar 04)