Snort mailing list archives
Re: Snort 2.1.0 - Shutting up http_inspect on non web servers
From: James Nonya <slave_tothe_box () yahoo com>
Date: Wed, 14 Jan 2004 11:18:38 -0800 (PST)
On Wed, 14 Jan 2004 09:14:44 -0600 "Schmehl, Paul L" <pauls () utdallas edu> wrote:
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]
On Behalf Of
James Nonya Sent: Wednesday, January 14, 2004 8:16 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort 2.1.0 - Shutting
up
http_inspect on non web servers Hehe...here's from a previous post: preprocessor http_inspect_server: server default \ ports { 80 8080 } \ flow_depth 300 \ ascii no \ utf_8 no \ bare_byte no \ base36 no \ iis_unicode no \ double_decode no \ non_rfc_char { 0x00 } \ multi_slash no \ iis_backslash no \ directory no \ apache_whitespace no \ iis_delimiter no \ chunk_length 64000 \ non_strictThis should have been sufficient, with one
exception. It does not "shut
up" non_rfc_chars. Anyone know how to do that?
preprocessor http_inspect_server: server default \
ports { 80 8080 } \
flow_depth 300 \
no_alerts
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/
Paul, Have you tried setting it to monitor port 0 or something like that? Maybe telling http_instpect to monitor a little used port would work..think I'll try that now. James __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.1.0 - Shutting up http_inspect on non web servers James Nonya (Jan 13)
- <Possible follow-ups>
- Re: Snort 2.1.0 - Shutting up http_inspect on non web servers James Nonya (Jan 14)
- RE: Snort 2.1.0 - Shutting up http_inspect on non web servers Schmehl, Paul L (Jan 14)
- Re: Snort 2.1.0 - Shutting up http_inspect on non web servers James Nonya (Jan 14)
- Re: Snort 2.1.0 - Shutting up http_inspect on non web servers Owen McCusker (Jan 14)
- RE: Snort 2.1.0 - Shutting up http_inspect on non web servers Schmehl, Paul L (Jan 14)
- Re: Snort 2.1.0 - Shutting up http_inspect on non web servers James Nonya (Jan 14)