Re: Snort http_decode preprocessor

[Erek Adams <erek () snort org>]

On Tue, 4 Mar 2003, Ralph Zimmermann wrote:

> I've just upgraded from snort version 1.8.7 (Build 128) to snort version
> 1.9.1 (Build 231).
> When I try to restart my snort processes I get an error in
> /var/log/messages and snort
> is stopping. The error is:
>
> Mar  4 09:57:05 xxxx snort: FATAL ERROR: ERROR:
> /usr/local/bin/snort/s1dmz.conf(185) => Unknown argument to http_decode
> preprocessor: "-unicode"
>
> > From what I saw in the 1.9.1 docs, the arguments to the http_decode
> preprocessor didn't change.
> Snort is configured as follows: preprocessor http_decode: 80 -unicode
> -cginull
> which is correct, from what I know.

Nope.  Wrong syntax.

Check the default snort.conf in the snort-1.9.1/etc dir:

  [erek@ghosts]/tmp/snort-1.9.1/src>grep unicode ../etc/snort.conf
  # unicode          - normalize unicode
  # iis_alt_unicode  - %u encoding from iis
  preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
  iis_flip_slash full_whitespace

No - needed.  That's what your problem is.

And yes, the docs do need to be updated to reflect this.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users