Snort mailing list archives

Re: Ok, Ok - I know - http_inspect

From: sekure <sekure () gmail com>
Date: Fri, 18 Jun 2004 09:59:09 -0400

What are you trying to do?  Those alerts look legitimate, as in, you
configure http_inspect_server to only notify you of attacks it spots
in URI content, and according to snort documentation "When enabled,
only the URI portion of HTTP requests will be inspected for attacks.
As this field usually contains 90-95% of the web attacks, you'll catch
most of the attacks."

So you are still getting the alerts.  I couldn't find an acceptible
configuration of http_inspect_server which didn't generate a ton of
false positives, and i tried EVERYTHING.  I still wanted to be able to
use the uricontent keyword, so i needed http_inspect, so i defined
http_inspect_server as:

preprocessor http_inspect_server: server default \
    profile apache \
    ports { 80 8080 } \
    no_alerts

The no_alerts stops all of the gen_id 119 alerts from showing up.  

On Fri, 18 Jun 2004 06:04:34 -0700 (PDT), Snortty <cwcwcwg () yahoo com> wrote:


All,

I have set up to enable inspect_uri_only:

preprocessor http_inspect_server: server default \
   profile all ports { 80 8080 8180 }
oversize_dir_length 500 inspect_uri_only

and when I run snort, it did show:

Only inspect URI: YES

but I still have hundreds of http_inspect alerts in
short period of time, like the kinds:

[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI
DIRECTORY [**]
[**] [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER
[**]
[**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING
[**]
[**] [119:4:1] (http_inspect) BARE BYTE UNICODE
ENCODING [**]
[**] [119:12:1] (http_inspect) APACHE WHITESPACE (TAB)
[**]
[**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK
[**]

Can someone shed some lights on it please?

Thanks
Sw.

---snipped---


-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Ok, Ok - I know - http_inspect Rowland, Krisa W ERDC-ITL-MS Contractor (Jun 16)
- RE: Ok, Ok - I know - http_inspect Jeff Dell (Jun 16)
- <Possible follow-ups>
- RE: Ok, Ok - I know - http_inspect Rowland, Krisa W ERDC-ITL-MS Contractor (Jun 16)
  - RE: Ok, Ok - I know - http_inspect Jeff Dell (Jun 16)
- RE: Ok, Ok - I know - http_inspect Koski, Brian (Jun 16)
- RE: Ok, Ok - I know - http_inspect SN ORT (Jun 17)
  - RE: Ok, Ok - I know - http_inspect Snortty (Jun 17)
    - Re: Ok, Ok - I know - http_inspect sekure (Jun 17)
    - Re: Ok, Ok - I know - http_inspect Snortty (Jun 18)
    - Re: Ok, Ok - I know - http_inspect sekure (Jun 18)
    - Re: Ok, Ok - I know - http_inspect Snortty (Jun 18)
    - Re: Ok, Ok - I know - http_inspect SN ORT (Jun 18)
    - Re: Ok, Ok - I know - http_inspect Chris Keladis (Jun 18)
    - Re: Ok, Ok - I know - http_inspect Jeff Kell (Jun 18)
    - Re: Ok, Ok - I know - http_inspect sekure (Jun 17)
    - Re: Ok, Ok - I know - http_inspect Snortty (Jun 17)