Snort mailing list archives
Re: Ok, Ok - I know - http_inspect
From: SN ORT <snort_on_acid () yahoo com>
Date: Fri, 18 Jun 2004 13:42:21 -0700 (PDT)
Yes, but is that really gen_id 119? I mean you can threshold the snort sigs but I don't know that you can threshold inspect alerts! Anyone try to threshold decode or inspect alerts? I don't know because I have not looked at threshold too much, but I do know that you have to specify a sig_id, which these particular alerts do not have. Good luck sir! Cheese! Marc --- Snortty <cwcwcwg () yahoo com> wrote:
I put no_alerts to stop all gen_id 119 alerts for now - snort runs and shows it in effect, since most if not ALL of these alerts are from internal web servers (we have too many), which are under normal usage. I guess there are bigger fish in the pond. BTW, I did use threshold.conf to suppress gen_id 119 alerts, it won't stop them. Thank you so much again! --- sekure <sekure () gmail com> wrote:What are you trying to do? Those alerts look legitimate, as in, you configure http_inspect_server to only notify youofattacks it spots in URI content, and according to snortdocumentation"When enabled, only the URI portion of HTTP requests will be inspected for attacks. As this field usually contains 90-95% of the web attacks, you'll catch most of the attacks." So you are still getting the alerts. I couldn't find an acceptible configuration of http_inspect_server which didn't generate a ton of false positives, and i tried EVERYTHING. I still wanted to be able to use the uricontent keyword, so i needed http_inspect, so i defined http_inspect_server as: preprocessor http_inspect_server: server default \ profile apache \ ports { 80 8080 } \ no_alerts The no_alerts stops all of the gen_id 119 alerts from showing up. On Fri, 18 Jun 2004 06:04:34 -0700 (PDT), Snortty <cwcwcwg () yahoo com> wrote:All, I have set up to enable inspect_uri_only: preprocessor http_inspect_server: server default\profile all ports { 80 8080 8180 } oversize_dir_length 500 inspect_uri_only and when I run snort, it did show: Only inspect URI: YES but I still have hundreds of http_inspect alertsinshort period of time, like the kinds: [**] [119:15:1] (http_inspect) OVERSIZEREQUEST-URIDIRECTORY [**] [**] [119:13:1] (http_inspect) NON-RFC HTTPDELIMITER[**] [**] [119:16:1] (http_inspect) OVERSIZE CHUNKENCODING[**] [**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**] [**] [119:12:1] (http_inspect) APACHE WHITESPACE(TAB)[**] [**] [119:2:1] (http_inspect) DOUBLE DECODINGATTACK[**] Can someone shed some lights on it please? Thanks Sw.---snipped---
-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
__________________________________ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail
-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Ok, Ok - I know - http_inspect, (continued)
- RE: Ok, Ok - I know - http_inspect Jeff Dell (Jun 16)
- RE: Ok, Ok - I know - http_inspect Rowland, Krisa W ERDC-ITL-MS Contractor (Jun 16)
- RE: Ok, Ok - I know - http_inspect Jeff Dell (Jun 16)
- RE: Ok, Ok - I know - http_inspect Koski, Brian (Jun 16)
- RE: Ok, Ok - I know - http_inspect SN ORT (Jun 17)
- RE: Ok, Ok - I know - http_inspect Snortty (Jun 17)
- Re: Ok, Ok - I know - http_inspect sekure (Jun 17)
- Re: Ok, Ok - I know - http_inspect Snortty (Jun 18)
- Re: Ok, Ok - I know - http_inspect sekure (Jun 18)
- Re: Ok, Ok - I know - http_inspect Snortty (Jun 18)
- Re: Ok, Ok - I know - http_inspect SN ORT (Jun 18)
- Re: Ok, Ok - I know - http_inspect Chris Keladis (Jun 18)
- RE: Ok, Ok - I know - http_inspect Snortty (Jun 17)
- Re: Ok, Ok - I know - http_inspect Jeff Kell (Jun 18)
- Re: Ok, Ok - I know - http_inspect sekure (Jun 17)
- Re: Ok, Ok - I know - http_inspect Snortty (Jun 17)