Snort mailing list archives
Re: Ok, Ok - I know - http_inspect
From: sekure <sekure () gmail com>
Date: Fri, 18 Jun 2004 09:59:09 -0400
What are you trying to do? Those alerts look legitimate, as in, you configure http_inspect_server to only notify you of attacks it spots in URI content, and according to snort documentation "When enabled, only the URI portion of HTTP requests will be inspected for attacks. As this field usually contains 90-95% of the web attacks, you'll catch most of the attacks." So you are still getting the alerts. I couldn't find an acceptible configuration of http_inspect_server which didn't generate a ton of false positives, and i tried EVERYTHING. I still wanted to be able to use the uricontent keyword, so i needed http_inspect, so i defined http_inspect_server as: preprocessor http_inspect_server: server default \ profile apache \ ports { 80 8080 } \ no_alerts The no_alerts stops all of the gen_id 119 alerts from showing up. On Fri, 18 Jun 2004 06:04:34 -0700 (PDT), Snortty <cwcwcwg () yahoo com> wrote:
All, I have set up to enable inspect_uri_only: preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 inspect_uri_only and when I run snort, it did show: Only inspect URI: YES but I still have hundreds of http_inspect alerts in short period of time, like the kinds: [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**] [**] [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER [**] [**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**] [**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**] [**] [119:12:1] (http_inspect) APACHE WHITESPACE (TAB) [**] [**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [**] Can someone shed some lights on it please? Thanks Sw.
---snipped--- ------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Ok, Ok - I know - http_inspect Rowland, Krisa W ERDC-ITL-MS Contractor (Jun 16)
- RE: Ok, Ok - I know - http_inspect Jeff Dell (Jun 16)
- <Possible follow-ups>
- RE: Ok, Ok - I know - http_inspect Rowland, Krisa W ERDC-ITL-MS Contractor (Jun 16)
- RE: Ok, Ok - I know - http_inspect Jeff Dell (Jun 16)
- RE: Ok, Ok - I know - http_inspect Koski, Brian (Jun 16)
- RE: Ok, Ok - I know - http_inspect SN ORT (Jun 17)
- RE: Ok, Ok - I know - http_inspect Snortty (Jun 17)
- Re: Ok, Ok - I know - http_inspect sekure (Jun 17)
- Re: Ok, Ok - I know - http_inspect Snortty (Jun 18)
- Re: Ok, Ok - I know - http_inspect sekure (Jun 18)
- Re: Ok, Ok - I know - http_inspect Snortty (Jun 18)
- Re: Ok, Ok - I know - http_inspect SN ORT (Jun 18)
- Re: Ok, Ok - I know - http_inspect Chris Keladis (Jun 18)
- RE: Ok, Ok - I know - http_inspect Snortty (Jun 17)
- Re: Ok, Ok - I know - http_inspect Jeff Kell (Jun 18)
- Re: Ok, Ok - I know - http_inspect sekure (Jun 17)
- Re: Ok, Ok - I know - http_inspect Snortty (Jun 17)