Snort mailing list archives

RE: Ok, Ok - I know - http_inspect

From: "Jeff Dell" <jdell () activeworx com>
Date: Wed, 16 Jun 2004 14:54:14 -0400

You are correct. I misread your first email when you said that /8 didn't
work, I assumed you meant it didn't limit the events. If you look at the
docs at: 
 
http://www.snort.org/docs/snort_manual/node17.html#SECTION003810000000000000
000 
 
You will see all of the options for http_inspect, maybe one of these will
help limit the alerts you are getting.
 
Jeff


  _____  

From: Rowland, Krisa W ERDC-ITL-MS Contractor
[mailto:Krisa.W.Rowland () erdc usace army mil] 
Sent: Wednesday, June 16, 2004 2:44 PM
To: 'Jeff Dell'; Rowland, Krisa W ERDC-ITL-MS Contractor;
Snort-users () lists sourceforge net
Subject: RE: [Snort-users] Ok, Ok - I know - http_inspect


I get this error:
 
ERROR: /export/home/krowland/snort-2.1.3/etc/snort.conf(288) => Invalid IP
to 'server' token.

I guess you can't do a subnet - on a single server...

  _____  

From: Jeff Dell [mailto:jdell () activeworx com] 
Sent: Wednesday, June 16, 2004 11:15 AM
To: 'Rowland, Krisa W ERDC-ITL-MS Contractor';
Snort-users () lists sourceforge net
Subject: RE: [Snort-users] Ok, Ok - I know - http_inspect


It sounds like you want to only limit it to a single class C? and not a
Class A? If this is the case you would want to change the subnet mask to /24
 
Cheers,
Jeff


  _____  

From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rowland, Krisa
W ERDC-ITL-MS Contractor
Sent: Wednesday, June 16, 2004 11:54 AM
To: 'Snort-users () lists sourceforge net'
Subject: [Snort-users] Ok, Ok - I know - http_inspect



I know I'm going to get slaughtered for even bringing up the subject of
http_inspect.  I've read through the old posts, and also read through the
manual.  I'm hoping that someone can offer clarification or guidance on
this, though.  I do not want to disable this option - but at the moment I'm
going to have to - just pouring out too many alerts.  

I tried to limit these alerts to only my webfarm subnet by doing this: 

preprocessor http_inspect_server: server x.x.x.0/8 \ 
    profile all ports { 80 8080 8180 } oversize_dir_length 500 

But it didn't like that.  I'd just like to restrict these alerts to one
subnet - how do I do that?  

Shouldn't I use the all profile if I'm pretty sure that I have apache and
IIS servers?  

Krisa Rowland 
ERDC Information Assurance Team 
(SAIC Contractor) 
3909 Halls Ferry Rd.,  Bldg. 8000 
Vicksburg, MS 39180 
601-634-2493 
krisa.w.rowland () erdc usace army mil

Current thread:

Ok, Ok - I know - http_inspect Rowland, Krisa W ERDC-ITL-MS Contractor (Jun 16)
- RE: Ok, Ok - I know - http_inspect Jeff Dell (Jun 16)
- <Possible follow-ups>
- RE: Ok, Ok - I know - http_inspect Rowland, Krisa W ERDC-ITL-MS Contractor (Jun 16)
  - RE: Ok, Ok - I know - http_inspect Jeff Dell (Jun 16)
- RE: Ok, Ok - I know - http_inspect Koski, Brian (Jun 16)
- RE: Ok, Ok - I know - http_inspect SN ORT (Jun 17)
  - RE: Ok, Ok - I know - http_inspect Snortty (Jun 17)
    - Re: Ok, Ok - I know - http_inspect sekure (Jun 17)
    - Re: Ok, Ok - I know - http_inspect Snortty (Jun 18)
    - Re: Ok, Ok - I know - http_inspect sekure (Jun 18)
    - Re: Ok, Ok - I know - http_inspect Snortty (Jun 18)
    - Re: Ok, Ok - I know - http_inspect SN ORT (Jun 18)
    - Re: Ok, Ok - I know - http_inspect Chris Keladis (Jun 18)
    - Re: Ok, Ok - I know - http_inspect Jeff Kell (Jun 18)

(Thread continues...)