Snort mailing list archives

RE: Having http_inspect problems, can't turn options off

From: "Kenneth Trimmmer" <kenneth.trimmer () parkvale com>
Date: Fri, 6 Aug 2004 15:33:22 -0400

I have recently experienced similar problems and this is what I have done to
fix it. I turned off alerting because of the over abundance of False
Positives. I believe that the false positives are in response to the SRC IP
Address has a high port number. I Believe that the http_inspect preprocessor
is monitor for HTTP traffic on ports other that 80 and that when it sends
off the alert. I do believe that the folks at sourcefire know this and are
working on a fix. So in the mean time here is my preprocessor line. 

preprocessor http_inspect_server: server default \
    profile all ports { 80  } oversize_dir_length 500 no_alerts

preprocessor http_inspect_server: server 172.25.1.28 \
    profile apache ports { 80 } no_alerts

It looks like you need the no_alerts on the default preprocesser as well as
the additional preprocessors. 

This should not be to much of a risk because the http_inspect will continue
to do the normalization behind the scenes and alert on anything that matches
a rule. 


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Chris Schock
Sent: Friday, August 06, 2004 12:34 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Having http_inspect problems, can't turn options off

I am using Snort 2.2 RC1

Here is my http_inspect config in snort.conf"

================
preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252 \
    proxy_alert

preprocessor http_inspect_server: server xxx.xxx.158.212 bare_byte no
preprocessor http_inspect_server: server xxx.xxx.158.213 no_alerts

preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 } oversize_dir_length 500
================

My problem is that I am still getting lots and lots of "BARE BYTE UNICODE
ENCODING" alerts for both servers, despite trying to suppress that
specific alert for one, and turning alerting completely off for the other.
I tried turning it off globally as well, but whenever I try that snort
complains that there is a configuration problem.

What am I doing wrong?




-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Having http_inspect problems, can't turn options off Chris Schock (Aug 06)
- Re: Having http_inspect problems, can't turn options off Jeremy Hewlett (Aug 06)
- RE: Having http_inspect problems, can't turn options off Kenneth Trimmmer (Aug 06)