RE: Problems with snort-2.1.0

["Daniel J. Roelker" <droelker () sourcefire com>]

Hi Paul,

Comments inline again, other users should be interested in this too.

> > detect_anomalous_servers:
> > In the documentation it says, "This global configuration 
> > option enables generic HTTP server traffic inspection on 
> > non-HTTP configured ports, and alerts if HTTP traffic is 
> > seen.".  The docs say nothing about HOME_NET or any other 
> > variables in regard to http_inspect, so if you could point us 
> > to where you got that fact in the docs we'll be happy to fix 
> > it so it's less confusing.  
> Obviously it was an assumption.  I *thought* that http_inspect would
> only normalize and report on traffic within the context of existing,
> enabled rules, which would mean that if HTTP_SERVERS was defined, *that*
> is what it would report on.  (Isn't that what http_decode did?)

http_decode alerts didn't take into account the HTTP_SERVERS variable
either.  

On a side note, there's a big difference between the old http_decode and
http_inspect.  If you want to find out about more about the differences
you can check out the paper "HTTP IDS Evasions Revisited" at
www.idsresearch.org.  It explains the different types of evasions that
http_inspect looks for and normalizes.

On an even greater side note, I wanted to thank the snort users for
giving us feedback on the http_inspect profiles and configurations.  As
snort gets more advanced, the different configurations for application
decoders will as well.  Obviously, we try our best to make configuration
as straight forward as possible, so please bear with us.  

We are taking a lot of the feedback we've gotten about http_inspect
alerting and this will be updated in the Snort 2.1.1 release.  So if any
user's are so inclined to test the release candidate for 2.1.1 out,
please download the release candidate from the CVS HEAD branch.  The
commands are:

cvs -d:pserver:anonymous () cvs sourceforge net:/cvsroot/snort login

and then,

cvs -z3 -d:pserver:anonymous () cvs sourceforge net:/cvsroot/snort co snort

run ./autojunk.sh and then configure and build.  One of the things that
2.1.1 updates is that non_rfc_char is taken out of all the pre-defined
profiles.  Also, no_alerts works for all of the http_inspect alerts. 
Thanks to the users who pointed this out.

Any other suggestions that users want in 2.1.1 for http_inspect or
otherwise, please let us know.

>  
> > non_rfc_chars, other flags, etc:
> > The non_rfc_char alerts have been an issue and we're taking 
> > that out of the default server policies, i.e. apache, iis, 
> > all.  Which brings us to the issue that you didn't enable 
> > many of the flags that you are seeing alerts for.  This is 
> > because you have enabled a profile, in this case 'all' to be 
> > specific.  If you look at the documentation it tells you what 
> > flags are pre-set for this particular profile.  So that's why 
> > you're seeing alerts for things that you didn't specifically set.
> I missed that, and I'm still not seeing it in README.http_inspect.  Is
> it in there?  Or in the snort manual?  I don't see anything that
> discusses what the default, pre-set flags are for all, apache or iis.
>
> I do have a question though.  Can you disable a default flag by using
> "flag_name no"?

It's at the end of README.http_inspect and starts like this :

-- Profile Breakout --
There are three profiles that users can select.  Only the configuration 
that are listed under the profiles are turned on.  If there is no
mention of alert on or off, then that means there is no alert associated
with the configuration.

As to your other question, you can't turn off individual flags in a
profile.  But you are definitely encouraged to create your own profiles
and several users have done this on the mailing list.  I'm hoping that
some users may want to create profiles for more web servers than the
three provided that we've provided.  I'd be more than happy to add any
submitted server profiles that users make into an http_inspect
configuration.  So if anyone feels like helping . . . :)

-- 
Daniel Roelker
Software Developer
Sourcefire, Inc.



-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users