Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Ok, Ok - I know - http_inspect

From: Snortty <cwcwcwg () yahoo com>
Date: Fri, 18 Jun 2004 06:04:34 -0700 (PDT)
All, 

I have set up to enable inspect_uri_only:

preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 }
oversize_dir_length 500 inspect_uri_only

and when I run snort, it did show: 

Only inspect URI: YES

but I still have hundreds of http_inspect alerts in
short period of time, like the kinds:

[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI
DIRECTORY [**]
[**] [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER
[**]
[**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING
[**]
[**] [119:4:1] (http_inspect) BARE BYTE UNICODE
ENCODING [**]
[**] [119:12:1] (http_inspect) APACHE WHITESPACE (TAB)
[**]
[**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK
[**]

Can someone shed some lights on it please?

Thanks
Sw. 






--- sekure <sekure () gmail com> wrote:

You are missing a slash after your unicode
statement. 
All http_inspect config options want to be part of
the same line, the
\ escapes the carriage return.  Try this:

preprocessor http_inspect: global \
   iis_unicode_map unicode.map 1252 \  <--- Notice
that slash
   inspect_uri_only



On Thu, 17 Jun 2004 12:00:52 -0700 (PDT), Snortty
<cwcwcwg () yahoo com> wrote:


It's true that one can not specify a subnet, but

singe

IP or global.

But, I want to use inspect_uri_only enabled for

ALL

http_inspect alerts, can only make it work if I

enter

an IP address to replace default sever 1.1.1.1.

It won't work if I put it like (in snort.conf):

preprocessor http_inspect: global \
   iis_unicode_map unicode.map 1252
   inspect_uri_only

snort won't run, and detect error due to this

line.


Can anyone tell me how to enable this

inspect_uri_only

for ALL http_inspect alerts (so no such alerts

will be

logged except uricontent inspection please?

THANK YOU!
Sty



--- SN ORT <snort_on_acid () yahoo com> wrote:

I don't believe you will be able to specify a
subnet.
I tried that awhile ago and couldn't get it to

work.

It's either global or server-specific.

Cheese!

Marc

--__--__--

Message: 1
Wrom: WFAOBUZXUWLSZLKBRNVWWCUFPEGAUTFJMVRESKPNK
       <Krisa.W.Rowland () erdc usace army mil>
To: "'Snort-users () lists sourceforge net'"
       <Snort-users () lists sourceforge net>
Date: Wed, 16 Jun 2004 10:53:56 -0500
Subject: [Snort-users] Ok, Ok - I know -
http_inspect

This message is in MIME format. Since your mail
reader
does not understand
this format, some or all of this message may not

be

legible.

------_=_NextPart_001_01C453BA.219029D8
Content-Type: text/plain

I know I'm going to get slaughtered for even
bringing
up the subject of
http_inspect.  I've read through the old posts,

and

also read through the
manual.  I'm hoping that someone can offer
clarification or guidance on
this, though.  I do not want to disable this

option

-
but at the moment I'm
going to have to - just pouring out too many

alerts.


I tried to limit these alerts to only my webfarm
subnet by doing this:

preprocessor http_inspect_server: server

x.x.x.0/8 \

    profile all ports { 80 8080 8180 }
oversize_dir_length 500

But it didn't like that.  I'd just like to

restrict

these alerts to one
subnet - how do I do that?

Shouldn't I use the all profile if I'm pretty

sure

that I have apache and
IIS servers?

Krisa Rowland
<snip>



__________________________________________________

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam
protection around
http://mail.yahoo.com








-------------------------------------------------------

This SF.Net email is sponsored by The 2004
JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's
Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone

Center

in San Francisco, CA
REGISTER AND SAVE!

http://java.sun.com/javaone/sf

Priority Code NWMGYKND
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:






https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:






http://www.geocrawler.com/redir-sf.php3?list=snort-users




               
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We

finish.

http://promotions.yahoo.com/new_mail








-------------------------------------------------------

This SF.Net email is sponsored by The 2004

JavaOne(SM) Conference

Learn from the experts at JavaOne(SM), Sun's

Worldwide Java Developer

Conference, June 28 - July 1 at the Moscone Center

in San Francisco, CA

REGISTER AND SAVE! http://java.sun.com/javaone/sf

Priority Code NWMGYKND

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or

unsubscribe:





https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:




http://www.geocrawler.com/redir-sf.php3?list=snort-users








                
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail


-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: